This proposal adds a new dedicated flatpak group, allowing users to manage system Flatpaks without needing to be in the wheel group.
Users will not get any new privileges by default, and can still manage user flatpaks.
Owners, do not implement this work until the FESCo vote has explicitly ended. The Fedora Program Manager will create a tracking bug in Bugzilla for this Change, which is your indication to proceed. See the FESCo ticket policy and the Changes policy for more information.
REMINDER: This ticket is for FESCo members to vote on the proposal. Further discussion should happen in the devel list thread linked above.
I'm not sure this Change makes sense, especially since Flatpaks were designed to have a split between user and system applications, and we don't allow full management of system applications unprivileged as it is. This would be a huge change in our security model, and I am uncomfortable with the implications of this change. It does not appear that I'm the only one, as indicated by the community discussion on the change.
-1.
Metadata Update from @ngompa: - Issue tagged with: meeting
-1
Yeah, I didn't like the feel of this change before I read the discussion, and I definitely don't think it's a good idea after reading it. The goals of the change might be laudable, but the method proposed here aren't it. -1
Hey, would have wished you participated in the discussion before, as I think there is a misunderstanding.
The word "unprivileged" is not correct, but I found no better one. The meaning is "use a dedicated group".
System flatpaks are the default packages installed on many systems and the default repos setup there are also system flatpak repos. By default all users are in the wheel group and get no indication that this would be extremely insecure.
This change would allow to use the "flatpak" group instead of the "wheel" group, opt-in, if the only concern was management of these flatpaks.
I explained in the discussion why I think user flatpaks are not a good replacement. But I think there was little constructive discussion on alternatives.
Systemd sysextensions delivered as flatpaks will need to be installed as system flatpaks. This means these need to be updated. Especially when using automatic updates, users either need to be wheel, or have an admin update them manually.
I think having the permission just to update the flatpaks would be easier. An idea would also be to have 2 separate groups, one for users that can install system flatpaks (which might allow privilege escalations) and one that just use them, assuming automatic updates (or manual ones) run, they can update them as they wish without issues, and the system works.
Thus this is related to https://fedoraproject.org/wiki/Changes/UnprivilegedUpdatesAtomicDesktops
I disagree that user flatpaks are a 1:1 replacement for various reasons I explained in the Discussion.
But I also expected to have a longer discussion time (with changes like the ones mentioned above), and I am fine to close this one if reverting from this stage is not possible anymore.
Terminology is important, because "unprivileged" implies that there should be no problem adding anyone to this group, but that's at odds with "might allow privilege escalations." I'm not keen on adding "root-adjacent" groups either.
This was discussed in the meeting, rejected (+0, 1, -6) and announced in the minutes
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/72M3MGF6YXXRPFT6ZEUQ5LSSQG6QQKD2/
Metadata Update from @salimma: - Issue close_status updated to: Rejected - Issue status updated to: Closed (was: Open)
Metadata Update from @salimma: - Issue untagged with: meeting
Log in to comment on this ticket.