I am wondering how Install Podman Desktop on Linux | Flathub App installed kubectl in Fedora Atomic?
❯ which kubectl
/usr/local/bin/kubectl
App asked for root password and installed binary in /usr.
❯ ls -l /usr
drwxr-xr-x@ - root 31 Dec 1969 bin
drwxr-xr-x@ - root 31 Dec 1969 etc
drwxr-xr-x@ - root 31 Dec 1969 games
drwxr-xr-x@ - root 31 Dec 1969 include
drwxr-xr-x@ - root 31 Dec 1969 lib
drwxr-xr-x@ - root 31 Dec 1969 lib64
drwxr-xr-x@ - root 31 Dec 1969 libexec
lrwxrwxrwx@ - root 31 Dec 1969 local -> ../var/usrlocal
lrwxrwxrwx@ - root 31 Dec 1969 sbin -> bin
drwxr-xr-x@ - root 31 Dec 1969 share
drwxr-xr-x@ - root 31 Dec 1969 src
lrwxrwxrwx@ - root 31 Dec 1969 tmp -> ../var/tmp
/usr/local is a symlink to /var/usrlocal which is a writable location.
/usr/local is to be used when “installing software locally” according to the Filesystem Hierarchy Standard, so it should be writable by the system admin and it should survive upgrades.
There are other top-level writable directories that need to be handled similarly; this is covered in some of the supporting ostree documentation.
1 Like
What permissions / portals does a Flatpak app need to achieve this?
I believe it achieves this with “–talk-name=org.freedesktop.Flatpak”.
Though the app also has permission to access your whole home directory, including .bashrc, which would also allow it to run arbitrary commands.
1 Like