From Fedora Project Wiki
m (change is ready)
(submitting change to fesco)
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}}


{{admon/tip | Guidance | For details on how to fill out this form, see the [https://docs.fedoraproject.org/en-US/program_management/changes_guide/ documentation].}}
{{admon/tip | Report issues | To report an issue with this template, file an issue in the [https://pagure.io/fedora-pgm/pgm_docs pgm_docs repo].}}
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->


= Unprivileged management of system Flatpaks =
= Unprivileged management of system Flatpaks =
Line 13: Line 7:
== Summary ==
== Summary ==
This proposal adds a new dedicated `flatpak` group, allowing users to manage system Flatpaks without needing to be in the `wheel` group.
This proposal adds a new dedicated `flatpak` group, allowing users to manage system Flatpaks without needing to be in the `wheel` group.
Users will not get any new privileges by default, and can still manage `user` flatpaks.


== Owner ==
== Owner ==
Line 23: Line 19:


== Current status ==
== Current status ==
[[Category:ChangeReadyForWrangler]]
[[Category:ChangeReadyForFesco]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 32: Line 28:
[[Category:SystemWideChange]]
[[Category:SystemWideChange]]


* Targeted release: [https://docs.fedoraproject.org/en-US/releases/f41/ Fedora Linux 41]
* Targeted release: [https://docs.fedoraproject.org/en-US/releases/f42/ Fedora Linux 42]
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page
Line 40: Line 36:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* [Announced]
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/BV6MSFER5RNLXLY5PZIGVXOQETAXQADY/ Announced]
* [<will be assigned by the Wrangler> Discussion thread]
* [https://discussion.fedoraproject.org/t/f42-change-proposal-unprivileged-management-of-system-flatpaks-system-wide/124336 Discussion thread]
* FESCo issue: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/3247 #3247]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
Line 80: Line 76:


== Feedback ==
== Feedback ==
none yet
* metadata refresh and updates may be allowed for all users in relation to the [https://discussion.fedoraproject.org/t/f41-change-proposal-unprivileged-updates-for-fedora-atomic-desktops-self-contained/118556/17 "Unprivileged Updates for Fedora Atomic" Change]
* The upcoming [https://blogs.gnome.org/chergert/2024/05/07/system-extensions-from-flatpak/ Flatpak system extensions] need to be installed on the system. Privilege to manage them may grant root access
* adding more groups may not be wanted by some


== Benefit to Fedora ==
== Benefit to Fedora ==

Latest revision as of 19:22, 15 July 2024


Unprivileged management of system Flatpaks

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

This proposal adds a new dedicated flatpak group, allowing users to manage system Flatpaks without needing to be in the wheel group.

Users will not get any new privileges by default, and can still manage user flatpaks.

Owner

  • Name: Henning
  • Email: boredsquirrel@secure.mailbox.org


Current status

Detailed Description

Currently, to install, uninstall and modify apps or repositories, users need to be in the wheel group. Removing a user from the wheel group would interfere with the currently default (systemwide) configuration of Flatpaks.

All users can add a user repository, and manage their own user Flatpaks. But a dedicated group to manage system flatpaks, without relying on wheel allows more fine grained privileges.

This enables an "admin" permission that is not tied to full root access on the host system.

It will be a change of the polkit rule org.freedesktop.Flatpak.rules like following: 


 polkit.addRule(function(action, subject) {
     if ((action.id == "org.freedesktop.Flatpak.app-install" ||
         action.id == "org.freedesktop.Flatpak.runtime-install"||
         action.id == "org.freedesktop.Flatpak.app-uninstall" ||
         action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
         action.id == "org.freedesktop.Flatpak.modify-repo") &&
         subject.active == true && subject.local == true && (
         subject.isInGroup("wheel") || subject.isInGroup("flatpak"))) {
             return polkit.Result.YES;
     }
 
     return polkit.Result.NOT_HANDLED;
 });
 
 polkit.addRule(function(action, subject) {
     if (action.id == "org.freedesktop.Flatpak.override-parental-controls") {
             return polkit.Result.AUTH_ADMIN;
     }
 
     return polkit.Result.NOT_HANDLED;
 });


Feedback

Benefit to Fedora

This is a step towards the Confined Users goal. It enables a dedicated action, the management of Flatpaks, without needing all the other privileges that wheel users have.

Scope

  • Proposal owners: changing a single rule, testing with nonwheel users in the flatpak group
  • Other developers: none
  • Policies and guidelines: Documentation needs to get an additional chapter on Flatpak management with the flatpak group.
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with the Fedora Strategy: Yes

Upgrade/compatibility impact

The polkit rule will be overwritten, there will be no changes in behavior. It just enables a new feature.


How To Test

On Atomic or traditional Fedora, place the above rule in /etc/polkit-1/rules.d/org.freedesktop.Flatpak.rules.

This will be preferred over the default rule and you can test if it works.

User Experience

By default, Anaconda puts users into the wheel group. There will be no change.

But it enables to manage Flatpaks without being in that privileged group.

Dependencies

None

Contingency Plan

  • Contingency mechanism: this is a simple fix, not adding it will keep the previous wheel need
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

Will be added afterwards.

Nonwheel users can be added to the flatpak group: 


 sudo groupadd flatpak
 sudo usermod -aG flatpak USERNAME


Release Notes

Permission to manage systemwide flatpaks is now granted to users in the 'flatpak' group.

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/UnprivilegedSystemFlatpakManagement&oldid=714776"