flatpak installation permissions

Seth Arnold seth.arnold at canonical.com
Thu Jun 24 01:30:18 UTC 2021 

Hello technical board,

The flatpak tools in Ubuntu have different rules for installing packages
than we use in our software center or snap tools:
https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1812456/comments/14

My summary:
- polkit 'admin' users can configure new flatpak remotes, authenticated by
  password
- unix 'wheel' group users can install and remove packages from configured
  flatpak remotes, without password

This is in contrast to our apt and snap configuration, where only updates
can be installed without authentication, but new packages require using
sudo or a polkit 'admin' authentication to ensure a human is in the loop.

Several arguments for leaving it alone:
- the status quo
- existing documentation
- consistency in the flatpak ecosystem regardless of distribution
- maintaining a delta from Debian for this would carry long-term costs

Several arguments for making changes:
- consistency in the Ubuntu experience
- the wheel group has historical usage; growing the privileges available
  to the group in this fashion may not be welcome at all sites
- installing software is often a restricted operation at many sites

Possible changes:
- always require password authentication when installing or removing
  packages
- change the group that has magical unauthenticated powers
- change the ubuntu software center and / or snap to match flatpak
- document the behaviour in hardening guides and sysadmin guides

Of course there may be reasons for, reasons against, or possible changes
that I did not consider.

This issue is orthogonal to the MIR in bug 1812456; the security team
will be content with whatever choice is made by the technical board.

At least one flavour is intending to include flatpaks via a deb post-inst
script, perhaps in their default install, so the scope is extending a
bit beyond the status quo "people who have chosen to install flatpak":
https://lists.ubuntu.com/archives/ubuntu-release/2021-June/005235.html

I'm not on this list; Cc:s on followups would be appreciated.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20210624/5b618184/attachment.sig>

More information about the technical-board mailing list