8

When installing a flatpak that will be installed globally anyone in the sudo group can install a flatpak without sudo.

Is there a way to either edit the polkit rules that are installed by flatpak to allow this or to just remove it altogether so that any time you try to install a global flatpak you will be prompted for a password using both the CLI and the Software Store (in my case KDE Discover)?

dlin
  • 3,740
  • 3
  • 29
  • 45
TrailRider
  • 7,007
  • 3
  • 33
  • 50
  • I renamed that file along with another one, but it made no difference. My test was on adding the Flathub repo - that actually worked after I renamed the .pkla. However, I cannot disable Flatpak's ability to install software if the user is in the sudo group. Alas, my answer is worthless. – ajgringo619 Aug 30 '19 at 02:31
  • ahh thanks for trying. I'm sure there is a way to edit one or both of those files to stop this behavior. I'm assuming that someone knows how to edit those files, the wiki page was written assuming that you already knew how those type of permissions worked and gave examples and some very general instructions.. @ajgringo619 – TrailRider Aug 30 '19 at 02:35
  • Editing the files is one thing, but deleting/moving them should have stopped this behavior. One thing I did that kind of mitigated this issue was to delete the system repo and install the user one; that way, my user can only install Flatpaks in my home directory. – ajgringo619 Aug 30 '19 at 02:40
  • @ajgringo619 that would be a way to at least mitigate it. How did you do that? --user XXX when using add-if-missing... command? Weird that deleting the files did not revert the behavior. I would imagine that editing the files to change the rules to require the password is possible, I'm still holding out hope that some who knows will answer. (as an aside it seems like a stupid security hole, yea app are supposed to be sandboxed but only if the dev doesn't change the permissions. You cannot acces root w/o a pass for a reason on Linux...) – TrailRider Aug 30 '19 at 02:51
  • 2
    `flatpak remote-add --if-not-exists --user flathub https://flathub.org/repo/flathub.flatpakrepo` – ajgringo619 Aug 30 '19 at 02:53
  • Added your tag! – DK Bose Oct 06 '19 at 17:21

1 Answers1

1

By default, flatpak polkit rules do not require a password. You can however set up rules to require one.

Ubuntu/Debian derivatives (policykit < 0.106)

Create a new file named flatpak‑sudo‑always‑password.pkla in /⁠etc⁠/⁠polkit‑1⁠/⁠localauthority⁠/⁠50‑local.d⁠/

[Install Flatpak apps and runtimes]
Identity=unix-group:sudo
Action=org.freedesktop.Flatpak.app-install;org.freedesktop.Flatpak.runtime-install;org.freedesktop.Flatpak.app-uninstall;org.freedesktop.Flatpak.runtime-uninstall;
ResultActive=auth_admin

Any distro with policykit >= 0.106

Create a new file named 01‑flatpak‑sudo‑always‑password.rules in /⁠etc⁠/⁠polkit‑1⁠/⁠rules.d⁠⁠⁠/

polkit.addRule(function(action, subject) {
    if ((action.id == "org.freedesktop.Flatpak.app-install" ||
         action.id == "org.freedesktop.Flatpak.runtime-install"||
         action.id == "org.freedesktop.Flatpak.app-uninstall" ||
         action.id == "org.freedesktop.Flatpak.runtime-uninstall") &&
         subject.active == true && subject.local == true &&
         subject.isInGroup("sudo")) {
            return polkit.Result.AUTH_ADMIN;
    }

    return polkit.Result.NOT_HANDLED;
});

These are direct reversions of the policykit rules which flatpak installs.

The org.freedesktop.Flatpak.modify-repo permission was removed (enabled for all users by default), org.freedesktop.Flatpak.override-parental-controls was removed (not applicable), and the returned policykit authorization type changed from yes back to auth_admin. (polkit manual on auth types)

The .rules file was made by flatpak, and the .pkla file by Debian, based on flatpak's .rules file. Debian is not upgrading policykit beyond 0.105 for now, so they backported the .rules to the old system.

Original .rules file - - - Original .pkla file

You may want to consider using auth_admin_keep instead, if you don't want to be asked for your password for each flatpak and each runtime in one command.

Имя Фамилия
  • 105
  • 3
JJRcop
  • 36
  • 4