Unprivileged management of system Flatpaks
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
This proposal adds a new dedicated flatpak group, allowing users to manage system Flatpaks without needing to be in the wheel group.
Users will not get any new privileges by default, and can still manage user flatpaks.
Owner
- Name: Henning
- Email: boredsquirrel@secure.mailbox.org
Current status
- Targeted release: Fedora Linux 42
- Last updated: 2024-07-15
- Announced
- Discussion thread
- FESCo issue: #3247
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Currently, to install, uninstall and modify apps or repositories, users need to be in the wheel group. Removing a user from the wheel group would interfere with the currently default (systemwide) configuration of Flatpaks.
All users can add a user repository, and manage their own user Flatpaks. But a dedicated group to manage system flatpaks, without relying on wheel allows more fine grained privileges.
This enables an "admin" permission that is not tied to full root access on the host system.
It will be a change of the polkit rule org.freedesktop.Flatpak.rules like following:
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.Flatpak.app-install" ||
action.id == "org.freedesktop.Flatpak.runtime-install"||
action.id == "org.freedesktop.Flatpak.app-uninstall" ||
action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
action.id == "org.freedesktop.Flatpak.modify-repo") &&
subject.active == true && subject.local == true && (
subject.isInGroup("wheel") || subject.isInGroup("flatpak"))) {
return polkit.Result.YES;
}
return polkit.Result.NOT_HANDLED;
});
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.Flatpak.override-parental-controls") {
return polkit.Result.AUTH_ADMIN;
}
return polkit.Result.NOT_HANDLED;
});
Feedback
- metadata refresh and updates may be allowed for all users in relation to the "Unprivileged Updates for Fedora Atomic" Change
- The upcoming Flatpak system extensions need to be installed on the system. Privilege to manage them may grant root access
- adding more groups may not be wanted by some
Benefit to Fedora
This is a step towards the Confined Users goal. It enables a dedicated action, the management of Flatpaks, without needing all the other privileges that wheel users have.
Scope
- Proposal owners: changing a single rule, testing with nonwheel users in the
flatpakgroup
- Other developers: none
- Release engineering: #Releng issue number
- Policies and guidelines: Documentation needs to get an additional chapter on Flatpak management with the
flatpakgroup.
- Trademark approval: N/A (not needed for this Change)
- Alignment with the Fedora Strategy: Yes
Upgrade/compatibility impact
The polkit rule will be overwritten, there will be no changes in behavior. It just enables a new feature.
How To Test
On Atomic or traditional Fedora, place the above rule in /etc/polkit-1/rules.d/org.freedesktop.Flatpak.rules.
This will be preferred over the default rule and you can test if it works.
User Experience
By default, Anaconda puts users into the wheel group. There will be no change.
But it enables to manage Flatpaks without being in that privileged group.
Dependencies
None
Contingency Plan
- Contingency mechanism: this is a simple fix, not adding it will keep the previous wheel need
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
Will be added afterwards.
Nonwheel users can be added to the flatpak group:
sudo groupadd flatpak sudo usermod -aG flatpak USERNAME
Release Notes
Permission to manage systemwide flatpaks is now granted to users in the 'flatpak' group.