From Fedora Project Wiki
(Initial Version)
 
m (change is ready)
Line 23: Line 23:


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeReadyForWrangler]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->

Revision as of 15:31, 30 June 2024

Comments and Explanations
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.
Guidance
For details on how to fill out this form, see the documentation.
Report issues
To report an issue with this template, file an issue in the pgm_docs repo.


Unprivileged management of system Flatpaks

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

This proposal adds a new dedicated flatpak group, allowing users to manage system Flatpaks without needing to be in the wheel group.

Owner

  • Name: Henning
  • Email: boredsquirrel@secure.mailbox.org


Current status

  • Targeted release: Fedora Linux 41
  • Last updated: 2024-06-30
  • [Announced]
  • [<will be assigned by the Wrangler> Discussion thread]
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Currently, to install, uninstall and modify apps or repositories, users need to be in the wheel group. Removing a user from the wheel group would interfere with the currently default (systemwide) configuration of Flatpaks.

All users can add a user repository, and manage their own user Flatpaks. But a dedicated group to manage system flatpaks, without relying on wheel allows more fine grained privileges.

This enables an "admin" permission that is not tied to full root access on the host system.

It will be a change of the polkit rule org.freedesktop.Flatpak.rules like following:


 polkit.addRule(function(action, subject) {
     if ((action.id == "org.freedesktop.Flatpak.app-install" ||
         action.id == "org.freedesktop.Flatpak.runtime-install"||
         action.id == "org.freedesktop.Flatpak.app-uninstall" ||
         action.id == "org.freedesktop.Flatpak.runtime-uninstall" ||
         action.id == "org.freedesktop.Flatpak.modify-repo") &&
         subject.active == true && subject.local == true && (
         subject.isInGroup("wheel") || subject.isInGroup("flatpak"))) {
             return polkit.Result.YES;
     }
 
     return polkit.Result.NOT_HANDLED;
 });
 
 polkit.addRule(function(action, subject) {
     if (action.id == "org.freedesktop.Flatpak.override-parental-controls") {
             return polkit.Result.AUTH_ADMIN;
     }
 
     return polkit.Result.NOT_HANDLED;
 });


Feedback

none yet

Benefit to Fedora

This is a step towards the Confined Users goal. It enables a dedicated action, the management of Flatpaks, without needing all the other privileges that wheel users have.

Scope

  • Proposal owners: changing a single rule, testing with nonwheel users in the flatpak group
  • Other developers: none
  • Policies and guidelines: Documentation needs to get an additional chapter on Flatpak management with the flatpak group.
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with the Fedora Strategy: Yes

Upgrade/compatibility impact

The polkit rule will be overwritten, there will be no changes in behavior. It just enables a new feature.


How To Test

On Atomic or traditional Fedora, place the above rule in /etc/polkit-1/rules.d/org.freedesktop.Flatpak.rules.

This will be preferred over the default rule and you can test if it works.

User Experience

By default, Anaconda puts users into the wheel group. There will be no change.

But it enables to manage Flatpaks without being in that privileged group.

Dependencies

None

Contingency Plan

  • Contingency mechanism: this is a simple fix, not adding it will keep the previous wheel need
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

Will be added afterwards.

Nonwheel users can be added to the flatpak group:


 sudo groupadd flatpak
 sudo usermod -aG flatpak USERNAME


Release Notes

Permission to manage systemwide flatpaks is now granted to users in the 'flatpak' group.