I am currently planning to use flatpak/flathub for a few things that are not on my distribution’s repos. Since security has a high priority for me, I have a few questions for which I could not find anything via google, and statements in the docs (flatpak as well as flathub) are not very clear on these topics.
Background:
Regarding typical .deb/.rpm installs from distro repos or PPAs, and also for classic snaps, it seems (correct me if I’m wrong) that package install routines are executed as root and no further security policies apply. I.e., you completely trust the developers and package maintainers of apps you install to not do any unexpected changes to your system.
Question1:
What is the situation with install and update routines for flatpak? Is a system-wide flatpak install as sudo/root secured by any means, or do you hand over your system to the package being installed, as with .deb/.rpm/classic-snap?
If it is secured, what are the details? What permissions do install routines (run as root for system-wide install) get? Can they affect other packages, flatpak runtimes, or the system as a whole?
Question2:
Regarding permissions (after install), what if package permissions are changed by the developers? How do I get informed? Can permission changes happen silently on update?
Question3:
Where do flatpak runtimes come from? From the same repo (let’s say flathub) as the app being downloaded? Who maintains and builds these runtimes?
Any details or links to background info and sources would be great.
It’s sandboxed by bubblewrap (bw), there are some apps, that can affect other apps like flatseal. But permissons make this transparent.
Depends on your DE or how you interact with your package management. Flatpak cli will show you changes on update and have you accept them. Same is true for gnome software afaik. So, nothing silent.
Yes, they are on the same repo in flathubs case. They are maintained by the respective people, so freedesktop runtime is by freedesktop, gnome by gnome, kde by kde etc.
It’s sandboxed by bubblewrap (bw), there are some apps, that can affect other apps like flatseal. But permissons make this transparent.
So that means already the install routine is sandboxed and the same permissions apply as when running an app? I.e., installing as root is secure when permissions are restrictive enough (not speaking of undiscovered exploits)?
No further questions regarding the other two questions . Since I’m almost exclusively using cli, the update policy seems good to me.
Can a flatpak distributed via flathub include code which is run with UID 0 during a flatpak install or flatpak update?
This is typically the case with platform native packages, usually in the form of pre- and post-install scripts in the package, even for software which never itself runs with elevated privilege.
My personal preference for desktops, which accounts for all flatpak use, is to use only per-user installs. In addition to separating the application files from the OS, it precludes any flatpack interfering with the OS - from the innocent littering of files to the insidious deployment of UEFI rootkits.
The applicable trust model(s) and threats can become quickly complex, so this provides no blanket protection against other categories of threats from snooping audio and video inputs to exfiltrating ~/Documents/passwords.csv, though flatpak’s permissions model provides some relevant access controls.
No, it cannot, Flatpak does not support post-install or post-rm scripts like that and when you install a Flatpak, nothing gets “executed” from the packages itself (except for an extra-data Flatpaks, but that too happens inside a special sandbox with no network access or host access)
No, you don’t need root to install or update system-wide. You only need root when adding the remote for the first time.
Can they affect other packages, flatpak runtimes, or the system as a whole?
Nope, nothing is executed from the packages when installing Flatpaks (except for extra-data which runs in a sandbox with no host access or network access)
Where do flatpak runtimes come from? From the same repo (let’s say flathub) as the app being downloaded? Who maintains and builds these runtimes?
They are published on Flathub directly by the upstream.
Thanks @AJCxZ0 for adding to the question, you described exactly the type of attack vector I was worried about.
And thanks @bbhtt for the precise answer, also about not needing root for sytem-wide install/update. Lots of wrong information on that is coming up when you try to google these things. I guess it is dbus+PolicyKit that enables system-wide installs without root?
Thanks, I marked the question as solved. For now, I consider system-wide installs as secure, I just wish this was more clear from the flatpak documentation.
. Since I’m almost exclusively using cli, the update policy seems good to me.