http://bugzilla.opensuse.org/show_bug.cgi?id=1012961 Bug ID: 1012961 Summary: Flatpak / polkit permissions need to be reviewed Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: dimstar@opensuse.org QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- When a system is configured to make use of flatpak (system wide), then gnome-software treats them similar to normal packages in that it refreshes the metadata (repo) and offers the flats for update. The permissions for PackageKit are set that 'repo refresh' and 'package updates' are allowed by user without extended permissions. For flatpak, even the repo refresh requires root permission (which means, a system on boot up requires root if there are system flats installed, as gnome-software's update monitor will ask for a repo refresh) I'd like to see the permissions to be loosened up similar to what we have in Packagekit

org.freedesktop.packagekit.system-update auth_admin_keep_always:auth_admin_keep_always:yes

hence

org.freedesktop.Flatpak.app-update auth_admin:auth_admin:auth_admin_keep org.freedesktop.Flatpak.runtime-update auth_admin:auth_admin:auth_admin_keep org.freedesktop.Flatpak.appstream-update auth_admin:auth_admin:auth_admin_keep

Should be replaced with

org.freedesktop.Flatpak.app-update auth_admin_keep_always:auth_admin_keep_always:yes org.freedesktop.Flatpak.runtime-update auth_admin_keep_always:auth_admin_keep_always:yes org.freedesktop.Flatpak.appstream-update auth_admin_keep_always:auth_admin_keep_always:yes

-- You are receiving this mail because: You are on the CC list for the bug.