I am just learning how to use flatpak on fedora and trying to wrap my head around the “user” vs “system” thing.
i have the following remotes:
Name Options
fedora system,oci
flathub system
if i run a command as flatpak --install <name>, without root, it installs to the (system) directory at /var/lib/flatpak
My question is, how is it able to do so? I am clearly not passing --user, nor do i have a repository even marked as user, and i am not running the command as sudo.
The permissions of /var/lib/flatpak is 755 and is owned by root only. Shouldnt a non sudo run of flatpak be unable to write anything there?
It is working as designed: Flatpaks are being installed system-wide, and for many commands there is no need to use sudo (e.g. flatpak install, flatpak remove), but this is only IF the user is in the wheel group, i.e. has admin privileges.
Would the user not be in the wheel group, a wheel user’s authentication is required.
Note that there are certain flatpak commands (.e.g flatpak override), probably considered to be able to affect the system in undesired ways, that require running with sudo.
This is about trust in repos. Have a look at /usr/share/polkit-1/rules.d there is a flatpak rule in there.
Polkit is a different way to authenticate that is used for GUI apps, the new systemd run0 (which can be used instead of sudo or pkexec) and also many CLI tools.
Polkit allows to register certain actions, like “add a repo”, “install an app from repo”, “install a local app”.
Adding a systemwide flatpak repo requires a password by a wheel user. From then on, it is supposed to be trusted.
you need the admin password to add or remove repos
you need to be in the wheel group to add or remove packages, but no password
any user can update the packages without a password
This is a really nice concept. I would like to remove the wheel dependency, as it allows easy privilege escalation. But my Change Request got rejected
Granular permissions are really nice. wheel is the opposite of that. But I dont want to ramble here
The runtimes that i install as --system, can --user installed apps see them? And vice versa? Are they entirely isolated from each other? I noticed I had to install the same runtimes (nvidia driver, freedesktop stuff) again when I installed something with --user.
If I run an install command marked with --user, but my repos are such that I dont have any repo for --user (check first post), it should fail, am i correct?
Flathub is installed as system with additional tag where some permissions are removed so basically it is semi user level… You can remove it and install flathub using --user tag so all flathub installs are on user level
I know openSUSE does this on there atomic variants all are installed as user even flathub
You can see flatpak remotes command where it shows system and something can’t remember what behind it but I remember it was some monitored permissions changed
System-wide installations (the default, i.e. no need to use the --system flag) are accessible by any user on the system, whereas per-user installations are only accessible to the specific user. Runtimes installed system-wide are usually valid for per-user installations, but apparently not always.
Is your setup actually requiring situations where certain Flatpaks to be installed only for a specific user and not accessible by other users? If not, I would recommend ignoring the --user flag, and installing everything system-wide.