Unprivileged management of system Flatpaks
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
This proposal adds a new dedicated flatpak
group, allowing users to manage system Flatpaks without needing to be in the wheel
group.
Owner
- Name: Henning
- Email: boredsquirrel@secure.mailbox.org
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2024-07-01
- [Announced]
- [ Discussion thread]
- FESCo issue:
- Tracker bug:
- Release notes tracker:
Detailed Description
Currently, to install, uninstall and modify apps or repositories, users need to be in the wheel
group. Removing a user from the wheel group would interfere with the currently default (systemwide) configuration of Flatpaks.
All users can add a user
repository, and manage their own user Flatpaks. But a dedicated group to manage system flatpaks, without relying on wheel
allows more fine grained privileges.
This enables an âadminâ permission that is not tied to full root access on the host system.
It will be a change of the polkit rule org.freedesktop.Flatpak.rules
like following:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.Flatpak.app-install" ||
action.id == "org.freedesktop.Flatpak.runtime-install"||
action.id == "org.freedesktop.Flatpak.app-uninstall" ||
action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
action.id == "org.freedesktop.Flatpak.modify-repo") &&
subject.active == true && subject.local == true && (
subject.isInGroup("wheel") || subject.isInGroup("flatpak"))) {
return polkit.Result.YES;
}
return polkit.Result.NOT_HANDLED;
});
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.Flatpak.override-parental-controls") {
return polkit.Result.AUTH_ADMIN;
}
return polkit.Result.NOT_HANDLED;
});
Feedback
See below
Benefit to Fedora
This is a step towards the Confined Users goal. It enables a dedicated action, the management of Flatpaks, without needing all the other privileges that wheel
users have.
Scope
-
Proposal owners: changing a single rule, testing with nonwheel users in the
flatpak
group -
Other developers: none
-
Release engineering: #Releng issue number
-
Policies and guidelines: Documentation needs to get an additional chapter on Flatpak management with the
flatpak
group. -
Trademark approval: N/A (not needed for this Change)
-
Alignment with the Fedora Strategy: Yes
Upgrade/compatibility impact
The polkit rule will be overwritten, there will be no changes in behavior. It just enables a new feature.
How To Test
On Atomic or traditional Fedora, place the above rule in /etc/polkit-1/rules.d/org.freedesktop.Flatpak.rules
.
This will be preferred over the default rule and you can test if it works.
User Experience
By default, Anaconda puts users into the wheel
group. There will be no change.
But it enables to manage Flatpaks without being in that privileged group.
Dependencies
None
Contingency Plan
- Contingency mechanism: this is a simple fix, not adding it will keep the previous wheel need
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
Will be added afterwards.
Nonwheel users can be added to the flatpak
group:
sudo groupadd flatpak sudo usermod -aG flatpak USERNAME
Release Notes
Permission to manage systemwide flatpaks is now granted to users in the âflatpakâ group.
Last edited by @boredsquirrel 2024-07-02T21:20:40Z