Bug 1012961

Summary: AUDIT-0: Flatpak / polkit permissions need to be reviewed
Product: [Novell Products] SUSE Security Incidents Reporter: Dominique Leuenberger <dimstar>
Component: AuditsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: adrien.plazas, astieger, dimstar, fcrozat, krahmer, meissner, sreeves, zaitor
Version: unspecified   
Target Milestone: unspecified   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dominique Leuenberger 2016-12-01 09:03:45 UTC 
When a system is configured to make use of flatpak (system wide), then gnome-software treats them similar to normal packages in that it refreshes the metadata (repo) and offers the flats for update.

The permissions for PackageKit are set that 'repo refresh' and 'package updates' are allowed by user without extended permissions.

For flatpak, even the repo refresh requires root permission (which means, a system on boot up requires root if there are system flats installed, as gnome-software's update monitor will ask for a repo refresh)

I'd like to see the permissions to be loosened up similar to what we have in Packagekit

>org.freedesktop.packagekit.system-update        auth_admin_keep_always:auth_admin_keep_always:yes

hence

>org.freedesktop.Flatpak.app-update              auth_admin:auth_admin:auth_admin_keep
>org.freedesktop.Flatpak.runtime-update          auth_admin:auth_admin:auth_admin_keep
>org.freedesktop.Flatpak.appstream-update        auth_admin:auth_admin:auth_admin_keep

Should be replaced with

>org.freedesktop.Flatpak.app-update              auth_admin_keep_always:auth_admin_keep_always:yes
>org.freedesktop.Flatpak.runtime-update          auth_admin_keep_always:auth_admin_keep_always:yes
>org.freedesktop.Flatpak.appstream-update        auth_admin_keep_always:auth_admin_keep_always:yes
Comment 1 Sebastian Krahmer 2016-12-05 09:35:37 UTC 
Is this a dup of bnc#984817 ? Or are there any new permissions being asked for?
Comment 2 Dominique Leuenberger 2016-12-05 09:46:04 UTC 
(In reply to Sebastian Krahmer from comment #1)
> Is this a dup of bnc#984817 ? Or are there any new permissions being asked
> for?

Oh - I was under the impression that bug had been solved already (as the permission set was added to polkit default privs)

This request is basically to 'losen up' some of the restrictions in the current config set; as boo#984817 is not yet closed, that can of course be merged.
Comment 3 Frederic Crozat 2017-04-21 14:49:18 UTC 
What is the status here ?

Due to this not being fixed, you get random root prompt if you have one flatpak application, since GNOME Software periodically try to check for updates.
Comment 4 Sebastian Krahmer 2017-04-24 06:52:13 UTC 
(In reply to Frederic Crozat from comment #3)
> What is the status here ?
> 
> Due to this not being fixed, you get random root prompt if you have one
> flatpak application, since GNOME Software periodically try to check for
> updates.

By "root prompt" you talk about polkit is asking you to authenticate
yourself as root? Not like a root prompt from bash#
Comment 5 Frederic Crozat 2017-04-24 09:37:58 UTC 
(In reply to Sebastian Krahmer from comment #4)
> (In reply to Frederic Crozat from comment #3)
> > What is the status here ?
> > 
> > Due to this not being fixed, you get random root prompt if you have one
> > flatpak application, since GNOME Software periodically try to check for
> > updates.
> 
> By "root prompt" you talk about polkit is asking you to authenticate
> yourself as root? Not like a root prompt from bash#

Yes, sorry, the gnome-shell polkit prompt, which is system modal.
Comment 6 Bjørn Lie 2017-06-16 22:34:26 UTC 
Current version of flatpak in GN have a new polkit issue

flatpak.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.Flatpak.update-remote (auth_admin:auth_admin:yes)

There is also 

flatpak.x86_64: I: polkit-untracked-privilege org.freedesktop.Flatpak.install-bundle (auth_admin:auth_admin:auth_admin_keep) The privilege is not listed in /etc/polkit-default-privs.* 

that would be nice to get resolved
Comment 7 Sebastian Krahmer 2017-06-27 07:26:25 UTC 
I think we currently can't approve flatpak. There are too many weird things they
do, such as:

https://github.com/flatpak/flatpak/issues/845 (CVE-2017-9780)

Which was to be expected and its likely that other similar issues
will appear.

IMHO, the state of current Linux sandboxíng for containerized apps
from 3rd party repos is insufficient.
Comment 8 Adrien Plazas 2017-06-27 09:14:37 UTC 
(In reply to Sebastian Krahmer from comment #7)
> I think we currently can't approve flatpak.

Do you mean we shouldn't have Flatpak at all or we could have it but without the polkit rules and despite the poor user experience?
Comment 12 Frederic Crozat 2017-07-31 11:26:34 UTC 
I'd like to see both additional polkit rules to be cleared by security team, as we have plans to ship flatpak in SLED15.

flatpak.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.freedesktop.Flatpak.update-remote (auth_admin:auth_admin:yes)

This one is to allow refreshing a repository which was added previously with admin privilege. This is similar to 
org.freedesktop.packagekit.system-sources-refresh . I would suggest similar defaults

flatpak.x86_64: I: polkit-untracked-privilege org.freedesktop.Flatpak.install-bundle (auth_admin:auth_admin:auth_admin_keep) The privilege is not listed in /etc/polkit-default-privs.* 

This one is similar to Yast 1click install. I would suggest similar defaults as org.freedesktop.packagekit.package-install 

Thanks
Comment 15 Bernhard Wiedemann 2017-08-23 14:01:12 UTC 
This is an autogenerated message for OBS integration:
This bug (1012961) was mentioned in
https://build.opensuse.org/request/show/518380 Factory / polkit-default-privs
Comment 16 Sebastian Krahmer 2017-08-23 14:29:55 UTC 
closed as resolved