flatpak and root access

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

flatpak and root access

Anil F Duggirala
hello,
I know there have been some security concerns with flatpak, which are
too high level for me to understand, but I want to ask, is it normal
for flatpak to ask for the root password when installing a new package?
Are these packages not supposed to be sandboxed?
thank you,

Reply | Threaded
Open this post in threaded view
|

Re: flatpak and root access

Reco
        Hi.

On Mon, Apr 06, 2020 at 12:00:18PM -0500, Anil F Duggirala wrote:
> hello,
> I know there have been some security concerns with flatpak, which are
> too high level for me to understand,

It's simple, and security is just a part of a bigger problem here.
The very purpose of flatpak is to enable the user running untrusted
software (i.e. not obtained by usual OS means).
So, for instance, if the author of the software wants their software to
perform "telemetry" - they just do it and their users will "enjoy" it.
A good software maintainer will just patch the offensive functions out
because such privacy violation is a legitimate cause for a bug report in
Debian (and yes, those *did* happen).
Likewise, flatpak by itself cannot do anything against a cryptominer
"helpfully" "bundled" with a software.


> but I want to ask, is it normal
> for flatpak to ask for the root password when installing a new package?

For so-called "system install" - yes, it's normal.
The reason for this being that "system" installed flatpaks expose their
binaries in /var/lib/flatpak/exports/bin, which is not user-writable.
For so-called "user install" - i.e. inside your $HOME, no it's not.


> Are these packages not supposed to be sandboxed?

It's rather you have a different definition of "sandboxing" than flatpak
authors. For them it's important to restrict an access to the $HOME
files for anything that's running via flatpak (along the other things).
Whatever collateral damage they do to the filesystem usually limited to
/var/lib/flatpak.

Reco

Reply | Threaded
Open this post in threaded view
|

Re: flatpak and root access

Nicolas George-4
Reco (12020-04-06):

> It's simple, and security is just a part of a bigger problem here.
> The very purpose of flatpak is to enable the user running untrusted
> software (i.e. not obtained by usual OS means).
> So, for instance, if the author of the software wants their software to
> perform "telemetry" - they just do it and their users will "enjoy" it.
> A good software maintainer will just patch the offensive functions out
> because such privacy violation is a legitimate cause for a bug report in
> Debian (and yes, those *did* happen).
> Likewise, flatpak by itself cannot do anything against a cryptominer
> "helpfully" "bundled" with a software.
This is true, but I don't think it's the bigger security problem with
this and similar software bundle systems. If the program we want does
something harmful in secret, it will do it whether we install a whole
bundle or we build from source. A distribution packager may notice it,
but we can't rely on it.

We need to trust the people who make the programs we use.

But bundles come with an extra security issue: libraries.

The point of a bundle is that it comes with all its libraries. That
means if there is a security issue in that library, it needs to be
upgraded. It will not benefit from the security upgrades of the system.

Therefore, you have to rely the people who made the bundle to follow
carefully on all security alerts for all bundled libraries. This trust
is sadly often unwarranted.

Regards,

--
  Nicolas George

signature.asc (849 bytes) Download Attachment