flatpak installation permission requirements different from ubuntu software
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
flatpak (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
https:/
The flatpak tools in Ubuntu have different rules for installing packages
than we use in our software center or snap tools:
https:/
My summary:
- polkit 'admin' users can configure new flatpak remotes, authenticated by
password
- unix 'wheel' group users can install and remove packages from configured
flatpak remotes, without password
This is in contrast to our apt and snap configuration, where only updates
can be installed without authentication, but new packages require using
sudo or a polkit 'admin' authentication to ensure a human is in the loop.
Several arguments for leaving it alone:
- the status quo
- existing documentation
- consistency in the flatpak ecosystem regardless of distribution
- maintaining a delta from Debian for this would carry long-term costs
Several arguments for making changes:
- consistency in the Ubuntu experience
- the wheel group has historical usage; growing the privileges available
to the group in this fashion may not be welcome at all sites
- installing software is often a restricted operation at many sites
Possible changes:
- always require password authentication when installing or removing
packages
- change the group that has magical unauthenticated powers
- change the ubuntu software center and / or snap to match flatpak
- document the behaviour in hardening guides and sysadmin guides
Of course there may be reasons for, reasons against, or possible changes
that I did not consider.
At least one flavour is intending to include flatpaks via a deb post-inst
script, perhaps in their default install, so the scope is extending a
bit beyond the status quo "people who have chosen to install flatpak":
https:/
Thank you Seth for raising this.
For clarity on the current status of this, the decision-making part of what is appropriate to do in Ubuntu here has been delegated by the Technical Board to the Ubuntu Security Team: https:/ /irclogs. ubuntu. com/2021/ 09/14/% 23ubuntu- meeting. html#t19: 17