VirtualBox/setuid binaries

Robert McQueen rob at endlessm.com
Thu Dec 13 16:55:31 UTC 2018 

On Fri, 2018-11-16 at 10:30 +0100, Michael Thayer wrote:
> 16.11.18 09:50, Michael Thayer wrote:
> > A way to run a script with root privileges and a prominent warning
> > to
> > the user at installation time would of course be helpful for my and
> > Robert's use case.  I can of course see that the Flatpak developers
> > might consider it a dangerous temptation for application
> > developers;
> > then again I think that you check what gets onto Flathub and could
> > forbid most uses there.  I could do this anyway, the main problem
> > would
> > be that I would have to tell the user to run the script manually
> > and
> > work out the location in the file system, which is not very user-
> > friendly.
> 
> Just following up my own post, and coming back to a slightly refined
> version of my original idea unless someone suggests something better.
> For VirtualBox I could achieve most of what I want by providing a
> small
> additional starter tool to be installed separately from the Flatpak
> and
> referencing it from the desktop file in the Flatpak (instead of using
> /usr/bin/flatpak as a starter).  I should be able to achieve that in
> a
> user-friendly way, though of course I would depend on Flatpak being
> installed with the standard paths.  Since Endless presumably control
> their OS, perhaps they could do something on those lines too?

Yeah, in a sense we already have a "launch Chrome" helper in the OS, so
my working plan (to avoid patching Flatpak to continue supporting this
security) was to add a Flatpak trigger (scripts which are run after
exporting - such as updating icon caches, mime types, etc) which
checked that the Chrome app was from Endless, and if so re-instated the
setuid bit on the right file. This doesn't help you unfortunately.

You can't rely on modifying the .desktop file to use a different
launcher because flatpak rewrites those during the export phase
(roughly) to prepend "flatpak run app.id" to them. If I were in your
situation, I would aim for having a wrapper script which you ship
inside your flatpak, and is run from the inside initially, which
locates the host path for the Flatpak and then uses sudo or pk-exec to
acquire root and then do your priveleged stuff.

> Regards
> Michael

Cheers,
Rob

More information about the Flatpak mailing list