Re: flatpak and root access
Hi.
On Mon, Apr 06, 2020 at 12:00:18PM -0500, Anil F Duggirala wrote:
> hello,
> I know there have been some security concerns with flatpak, which are
> too high level for me to understand,
It's simple, and security is just a part of a bigger problem here.
The very purpose of flatpak is to enable the user running untrusted
software (i.e. not obtained by usual OS means).
So, for instance, if the author of the software wants their software to
perform "telemetry" - they just do it and their users will "enjoy" it.
A good software maintainer will just patch the offensive functions out
because such privacy violation is a legitimate cause for a bug report in
Debian (and yes, those *did* happen).
Likewise, flatpak by itself cannot do anything against a cryptominer
"helpfully" "bundled" with a software.
> but I want to ask, is it normal
> for flatpak to ask for the root password when installing a new package?
For so-called "system install" - yes, it's normal.
The reason for this being that "system" installed flatpaks expose their
binaries in /var/lib/flatpak/exports/bin, which is not user-writable.
For so-called "user install" - i.e. inside your $HOME, no it's not.
> Are these packages not supposed to be sandboxed?
It's rather you have a different definition of "sandboxing" than flatpak
authors. For them it's important to restrict an access to the $HOME
files for anything that's running via flatpak (along the other things).
Whatever collateral damage they do to the filesystem usually limited to
/var/lib/flatpak.
Reco
Reply to: