*** This bug is a security vulnerability *** Public security bug reported:
https://lists.ubuntu.com/archives/technical-board/2021-June/002560.html The flatpak tools in Ubuntu have different rules for installing packages than we use in our software center or snap tools: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1812456/comments/14 My summary: - polkit 'admin' users can configure new flatpak remotes, authenticated by password - unix 'wheel' group users can install and remove packages from configured flatpak remotes, without password This is in contrast to our apt and snap configuration, where only updates can be installed without authentication, but new packages require using sudo or a polkit 'admin' authentication to ensure a human is in the loop. Several arguments for leaving it alone: - the status quo - existing documentation - consistency in the flatpak ecosystem regardless of distribution - maintaining a delta from Debian for this would carry long-term costs Several arguments for making changes: - consistency in the Ubuntu experience - the wheel group has historical usage; growing the privileges available to the group in this fashion may not be welcome at all sites - installing software is often a restricted operation at many sites Possible changes: - always require password authentication when installing or removing packages - change the group that has magical unauthenticated powers - change the ubuntu software center and / or snap to match flatpak - document the behaviour in hardening guides and sysadmin guides Of course there may be reasons for, reasons against, or possible changes that I did not consider. At least one flavour is intending to include flatpaks via a deb post-inst script, perhaps in their default install, so the scope is extending a bit beyond the status quo "people who have chosen to install flatpak": https://lists.ubuntu.com/archives/ubuntu-release/2021-June/005235.html ** Affects: flatpak (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1943480 Title: flatpak installation permission requirements different from ubuntu software To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1943480/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
