Bug ID | 1012961 |
---|---|
Summary | Flatpak / polkit permissions need to be reviewed |
Classification | openSUSE |
Product | openSUSE Tumbleweed |
Version | Current |
Hardware | Other |
OS | Other |
Status | NEW |
Severity | Normal |
Priority | P5 - None |
Component | Security |
Assignee | security-team@suse.de |
Reporter | dimstar@opensuse.org |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
When a system is configured to make use of flatpak (system wide), then gnome-software treats them similar to normal packages in that it refreshes the metadata (repo) and offers the flats for update. The permissions for PackageKit are set that 'repo refresh' and 'package updates' are allowed by user without extended permissions. For flatpak, even the repo refresh requires root permission (which means, a system on boot up requires root if there are system flats installed, as gnome-software's update monitor will ask for a repo refresh) I'd like to see the permissions to be loosened up similar to what we have in Packagekit >org.freedesktop.packagekit.system-update auth_admin_keep_always:auth_admin_keep_always:yes hence >org.freedesktop.Flatpak.app-update auth_admin:auth_admin:auth_admin_keep >org.freedesktop.Flatpak.runtime-update auth_admin:auth_admin:auth_admin_keep >org.freedesktop.Flatpak.appstream-update auth_admin:auth_admin:auth_admin_keep Should be replaced with >org.freedesktop.Flatpak.app-update auth_admin_keep_always:auth_admin_keep_always:yes >org.freedesktop.Flatpak.runtime-update auth_admin_keep_always:auth_admin_keep_always:yes >org.freedesktop.Flatpak.appstream-update auth_admin_keep_always:auth_admin_keep_always:yes