Flatpak - non sudo install still installing as system

Hi there!

This is about trust in repos. Have a look at /usr/share/polkit-1/rules.d there is a flatpak rule in there.

Polkit is a different way to authenticate that is used for GUI apps, the new systemd run0 (which can be used instead of sudo or pkexec) and also many CLI tools.

Polkit allows to register certain actions, like “add a repo”, “install an app from repo”, “install a local app”.

Adding a systemwide flatpak repo requires a password by a wheel user. From then on, it is supposed to be trusted.

  • you need the admin password to add or remove repos
  • you need to be in the wheel group to add or remove packages, but no password
  • any user can update the packages without a password

This is a really nice concept. I would like to remove the wheel dependency, as it allows easy privilege escalation. But my Change Request got rejected

Granular permissions are really nice. wheel is the opposite of that. But I dont want to ramble here

2 Likes