On Tue, Jul 2, 2024 at 5:59 AM Vít Ondruch <vondr...@redhat.com> wrote:
> > Dne 01. 07. 24 v 22:58 Aoife Moloney napsal(a): > > Wiki - > https://fedoraproject.org/wiki/Changes/UnprivilegedSystemFlatpakManagement > > Discussion thread - > > > https://discussion.fedoraproject.org/t/f42-change-proposal-unprivileged-management-of-system-flatpaks-system-wide/124336 > > > > This is a proposed Change for Fedora Linux. > > This document represents a proposed Change. As part of the Changes > > process, proposals are publicly announced in order to receive > > community feedback. This proposal will only be implemented if approved > > by the Fedora Engineering Steering Committee. > > > > == Summary == > > This proposal adds a new dedicated `flatpak` group, allowing users to > > manage system Flatpaks without needing to be in the `wheel` group. > > > > == Owner == > > * Name: [[User:boredsquirrel| Henning]] > > * Email: boredsquir...@secure.mailbox.org > > > > > > == Detailed Description == > > Currently, to install, uninstall and modify apps or repositories, > > users need to be in the `wheel` group. Removing a user from the wheel > > group would interfere with the currently default (systemwide) > > configuration of Flatpaks. > > > > All users can add a `user` repository, and manage their own user > > Flatpaks. But a dedicated group to manage system flatpaks, without > > relying on `wheel` allows more fine grained privileges. > > > I am not Flatpak user, but I wonder why Flatpaks are system wide > installed by default? And if it would not be better to make them user > installed instead of this proposal. > > > Vít > > > > > This enables an "admin" permission that is not tied to full root > > access on the host system. > > > > It will be a change of the polkit rule `org.freedesktop.Flatpak.rules` > > like following: > > > > > > polkit.addRule(function(action, subject) { > > if ((action.id == "org.freedesktop.Flatpak.app-install" || > > action.id == "org.freedesktop.Flatpak.runtime-install"|| > > action.id == "org.freedesktop.Flatpak.app-uninstall" || > > action.id == "org.freedesktop.Flatpak.runtime-uninstall" || > > action.id == "org.freedesktop.Flatpak.modify-repo") && > > subject.active == true && subject.local == true && ( > > subject.isInGroup("wheel") || subject.isInGroup("flatpak"))) { > > return polkit.Result.YES; > > } > > > > return polkit.Result.NOT_HANDLED; > > }); > > > > polkit.addRule(function(action, subject) { > > if (action.id == > "org.freedesktop.Flatpak.override-parental-controls") { > > return polkit.Result.AUTH_ADMIN; > > } > > > > return polkit.Result.NOT_HANDLED; > > }); > > > > > > == Feedback == > > none yet > > > > == Benefit to Fedora == > > This is a step towards the Confined Users goal. It enables a dedicated > > action, the management of Flatpaks, without needing all the other > > privileges that `wheel` users have. > > > > == Scope == > > * Proposal owners: changing a single rule, testing with nonwheel users > > in the `flatpak` group > > > > * Other developers: none > > > > * Release engineering: [https://pagure.io/releng/issues #Releng issue > number] > > > > * Policies and guidelines: Documentation needs to get an additional > > chapter on Flatpak management with the `flatpak` group. > > > > * Trademark approval: N/A (not needed for this Change) > > > > * Alignment with the Fedora Strategy: Yes > > > > > > == Upgrade/compatibility impact == > > The polkit rule will be overwritten, there will be no changes in > > behavior. It just enables a new feature. > > > > == How To Test == > > On Atomic or traditional Fedora, place the above rule in > > `/etc/polkit-1/rules.d/org.freedesktop.Flatpak.rules`. > > > > This will be preferred over the default rule and you can test if it > works. > > > > == User Experience == > > By default, Anaconda puts users into the `wheel` group. There will be no > change. > > > > But it enables to manage Flatpaks without being in that privileged group. > > > > == Dependencies == > > None > > > > > > == Contingency Plan == > > > > * Contingency mechanism: this is a simple fix, not adding it will keep > > the previous wheel need > > * Contingency deadline: N/A > > * Blocks release? N/A > > > > > > == Documentation == > > Will be added afterwards. > > > > Nonwheel users can be added to the `flatpak` group: > > > > > > sudo groupadd flatpak > > sudo usermod -aG flatpak USERNAME > > > > > > > > == Release Notes == > > > > Permission to manage systemwide flatpaks is now granted to users in > > the 'flatpak' group. > > Currently wheel is required in order to install packages with dnf/rpm. Why should flatpak be different?
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
