Flatpak - non sudo install still installing as system

Hi friends, I am a beginner so please be gentle.

I am just learning how to use flatpak on fedora and trying to wrap my head around the “user” vs “system” thing.

i have the following remotes:

Name    Options
fedora  system,oci
flathub system

if i run a command as flatpak --install <name>, without root, it installs to the (system) directory at /var/lib/flatpak

My question is, how is it able to do so? I am clearly not passing --user, nor do i have a repository even marked as user, and i am not running the command as sudo.

The permissions of /var/lib/flatpak is 755 and is owned by root only. Shouldnt a non sudo run of flatpak be unable to write anything there?

1 Like

Hi and welcome to :fedora: .

It is working as designed: Flatpaks are being installed system-wide, and for many commands there is no need to use sudo (e.g. flatpak install, flatpak remove), but this is only IF the user is in the wheel group, i.e. has admin privileges.

Would the user not be in the wheel group, a wheel user’s authentication is required.

Note that there are certain flatpak commands (.e.g flatpak override), probably considered to be able to affect the system in undesired ways, that require running with sudo.

3 Likes

Hi there!

This is about trust in repos. Have a look at /usr/share/polkit-1/rules.d there is a flatpak rule in there.

Polkit is a different way to authenticate that is used for GUI apps, the new systemd run0 (which can be used instead of sudo or pkexec) and also many CLI tools.

Polkit allows to register certain actions, like “add a repo”, “install an app from repo”, “install a local app”.

Adding a systemwide flatpak repo requires a password by a wheel user. From then on, it is supposed to be trusted.

  • you need the admin password to add or remove repos
  • you need to be in the wheel group to add or remove packages, but no password
  • any user can update the packages without a password

This is a really nice concept. I would like to remove the wheel dependency, as it allows easy privilege escalation. But my Change Request got rejected

Granular permissions are really nice. wheel is the opposite of that. But I dont want to ramble here

2 Likes

Thank you very much! @tqcharm @boredsquirrel

I have an accompanying question with this:

  1. The runtimes that i install as --system, can --user installed apps see them? And vice versa? Are they entirely isolated from each other? I noticed I had to install the same runtimes (nvidia driver, freedesktop stuff) again when I installed something with --user.
  2. If I run an install command marked with --user, but my repos are such that I dont have any repo for --user (check first post), it should fail, am i correct?

Once again, thank you

  1. They are separate
  2. Not sure, try?

Flathub is installed as system with additional tag where some permissions are removed so basically it is semi user level… You can remove it and install flathub using --user tag so all flathub installs are on user level

I know openSUSE does this on there atomic variants all are installed as user even flathub

You can see flatpak remotes command where it shows system and something can’t remember what behind it but I remember it was some monitored permissions changed

1 Like

System-wide installations (the default, i.e. no need to use the --system flag) are accessible by any user on the system, whereas per-user installations are only accessible to the specific user. Runtimes installed system-wide are usually valid for per-user installations, but apparently not always.

Is your setup actually requiring situations where certain Flatpaks to be installed only for a specific user and not accessible by other users? If not, I would recommend ignoring the --user flag, and installing everything system-wide.

1 Like