There are many deployments, especially for autoupdating (atomic) systems, where an admin may want to set things up once, and then barely have to touch it again.
Imagine
school “Chromebooks”
child/parent laptops ;D
company workstations
…
Having this working is not a huge issue but requires some small adaptions. dnfand rpm-ostree need to work without sudo rights. There need to be dedicated groups for privileged actions, to avoid needing to be in the wheel group.
There are many security benefits when not using “the default”, a user whose password can also be used to access, and break, the entire system.
Using dedicated groups with associated polkit actions, for flatpak,adb, libvirt, … will be a part of this.
Who is interested in joining this goal, test things out, create implementations to make Fedora usable day to day, without needing to be in the wheel group?
Hmmm. Can you elaborate more on the use case here?
If the goal is to make accidental breakage more difficult, this might help. But it also adds a lot of complication — and, I’m not sure it really offers much of a security benefit (at least not with some other major changes). If you have the ability to install arbitrary packages via DNF, you can run arbitrary code as root.
Use case: having unprivileged users use a built system.
Maintenance is automated in the background. The users cannot install but upgrade packages.
And the complications come from using dedicated groups for certain privileged actions, instead of “the wheel workaround”.
Like these said groups, if wanted.
Flatpak
This could have multiple ways.
Either allow users to modify their apps, by using --user repos. This does not need any privileges.
Or keep the standard with systemwide flatpaks and having users in the flatpak group. I think this is the default.
Or install some system flatpak apps and dont put users in the flatpak group, meaning they cannot install random stuff. In this scenario it needs to be sure that automatic flatpak updates still work, but nothing else.
I’m not trying to be snarky… I think this really needs a more solid definition of “users” and “use”. Is the user a random person at a kiosk? A family member? A student using a school-provided laptop? At work, a software developer? A designer? An office worker? What applications do they use and need?
Maybe use the “user story” format? (“As an embedded hardware developer, I need to access serial ports, so that I can deploy code to and debug microcontrollers connecting via USB.”, etc.)
This should currently be the case with GNOME Software.
Libvirt is already configurable with polkit, although to be completely honest I don’t remember how to do it nicely with the “new” javascript-based policy definitions.
Note that having access to the system libvirtd is equivalent to being root on the system. If you want to let unprivileged users runs VMs, you need to run a user instance of libvirtd.
You can already manage your Flatpaks without privileges if you install them under the user location instead of the system one.
Partitioning is inherently a privileged operation as you can compromise the system or destroy it with it.
I never heard of that… does it have similar restrictions like GNOME Boxes Flatpak, where USB device access or TPM doesnt work?
I also dont understand why accessing libvirtd grants root on the host system.
Very interesting, I will look out for that! The default it systemwide libvirt, so I never knew this was even possible. Even the Distrobox hack requires a rootful podman container to run libvirt.
I think Fedora defaults to adding users to the Flatpak group?
There is no security benefit, on multi-user systems duplicating Flatpak wastes space. Data is separated. It could be interesting to put uninstall behind an admin password though.
Also user Flatpaks cant do certain privileged things, like GPU screen recorder. But that is an edge case and I dont fully understand the mechanism.
On restricted systems it makes little sense to allow users to change their apps. User flatpaks would allow anything. So modifying a polkit rule, adding a new user group “fusers” and only allowing updates could be useful here.
There are “options” to escalate from system libvirtd access to full root on a system.
No. Fedora defaults to system installed Flatpaks.
Any (in)security claim must come with a threat model otherwise they are security theater.
The installation location does not determine what a Flatpak application can do. Neither system installed Flatpaks nor user installed ones can do privileged operations.
This is not the default use case for Fedora. This requires configuration.
The default user created by Anaconda is not added to the flatpak group. I don’t think the flatpak group does what you said it does. Only wheel users can manage system Flatpaks via polkit. Have you verified this?
$ flatpak --user install org.kde.kcalc
$ flatpak --user run --talk-name=org.freedesktop.Flatpak --command=bash org.kde.kcalc
# flatpak-spawn --watch-bus --host pkexec --user root id
Flatpak applications can only get as much privileges as the user they are running under if they have sandbox escape access. Any application running on the host (i.e. not in a Flatpak) can request more privileges via polkit, which may ask for a password depending on the policy. By default, for wheel users it will be the user’s password and for non wheel users, an admin’s password. See:
With this rule it would work, I think that would be a good addition?
I think this is pretty problematic for restricted systems? Imagine a school laptop where you dont want the students to install Steam as user Flatpak for example, and run any game from there.
If you have the binaries available to run (system) Flatpaks, then there is nothing preventing you from pulling the content from Flathub and running it manually. If an user can run arbitrary code, then they can run anything they want.
Allow the specific capability to manage systemwide flatpaks without needing to be in the wheel group.
Thanks, I think this is off topic for this thread, but experimenting with nonexecutable home (with for example /var/usrlocal/bin being an alternative custom script location) is interesting for me.