chmod u-s is the more technically correct way to do it, as you just want to remove the suid bit and not touch the read-write-execute permissions (which are 0755 by default but may or may not have been changed). And pkexec may or may not live in /usr/bin depending on your particular distro. //

You know what’s great about blinking an LED with a 555 instead of a raspi? 555s don’t need security updates. //

So to appropriately neuter pkexec and prevent it from ever being used in an attack chain I issued the following command (Debian based Linux ONLY):

$ sudo dpkg-statoverride –update –add root root 0711 /usr/bin/pkexec

WARN: This is essentially a permanent change until you reverse the procedure (see dpkg-statoverride(8)). No future install/upgrade of the PolicyKit package will change the permissions from those specified. One could also reformat and install another OS. If some program on your system actually needs to use pkexec to change users that program will be broken. But for the life of me I can’t figure out why my printer would need to masquerade as another user. Smells like malware to me.