Bug 1215481 - flatpak allows members of the wheel group unauthenticated access
Summary: flatpak allows members of the wheel group unauthenticated access
Status: NEW
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: GNOME (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: E-mail List
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-09-19 11:52 UTC by Ludwig Nussel
Modified: 2023-10-02 11:26 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2023-09-19 11:52:40 UTC 
/usr/share/polkit-1/rules.d/60-org.freedesktop.Flatpak.rules allows local users in the wheel group to perform privileged actions without authentication. openSUSE does not define any meaning for the wheel group, therefore such rules violate security expectations.

Moreover, there are efforts to actually define a meaning for the wheel group, namely requiring self authentication with their own password for privileged actions (PED-260). The flatpak rules also violate that expectation by not requiring any authentication.
Comment 1 Matthias Gerstner 2023-10-02 11:26:12 UTC 
We have been through a lot of discussions regarding the significance of the
wheel group.

For FlatPak we actually gave our blessing in bug 984817 comment 20. It's
likely the only exception to the rule we have right now.

Given the recent developments surrounding wheel a reevaluation for FlatPak
might make sense. What FlatPak people want is a good user experience. A quick
way out of this might be using a dedicated group for flatpak.