Allow Flatpak metadata-refresh without password for non-admins?

I’ve been struggling with this issue for a while: 2203555 – silverblue non-admin user repeatedly asked for admin password to update

My setup is that I have a family laptop with multiple user accounts. I’m an admin user, but my family members have their own user accounts are are not admins. As mentioned in the bug report, when other users are logged in, gnome-software periodically checks for updates. When that happens, the user gets a prompt for my password, which they do not know. They always click “cancel” when this happens. If the laptop is left inactive for a long time with a user logged in, many prompts build up and the user may have to click cancel tens of times before they can use the computer.

I just learned about F41 Change Proposal: Unprivileged updates for Fedora Atomic Desktops, which is mentioned in that bug report as a way to fix the issue. This looks great to me, and I tried out the polkit rule to see if it fixed my issue.

With that rule in place, I still got a password prompt. Looking through journalctl, I found this (presumably the FAILED happened when the user click cancel):

Jun 07 13:34:26 panther polkitd[963]: Operator of unix-session:2 FAILED to authenticate to gain authorization for action org.freedesktop.Flatpak.metadata-update for system-bus-name::1.112 [/usr/bin/gnome-software --gapplication-service] >

I tested rpm-ostree update at the command line, and it worked fine, so it seems like the rpm-ostree problem is solved, but automatic Flatpak updates still require the a password. I checked the other polkit rules and found /usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.Flatpak.app-install" ||
         action.id == "org.freedesktop.Flatpak.runtime-install"||
         action.id == "org.freedesktop.Flatpak.app-uninstall" ||
         action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
         action.id == "org.freedesktop.Flatpak.modify-repo") &&
        subject.active == true && subject.local == true &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
    }

    return polkit.Result.NOT_HANDLED;
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.Flatpak.override-parental-controls") {
            return polkit.Result.AUTH_ADMIN;
    }

    return polkit.Result.NOT_HANDLED;
});

It looks like several Flatpak operations are allowed, including installing new apps, but only for admin users? But org.freedesktop.Flatpak.metadata-update is not one of the allowed operations.

Is that an oversight? Should that be added? Would that require a proposal like the one for rpm-ostree?

1 Like

Thanks for testing that. This is a good point and we might need to add a permission for this as well. Can you link to this post in the related change discussion? We’ll likely need another change request for it.

3 Likes

I see that you already did that. Thanks!

1 Like