VirtualBox/setuid binaries
Michael Thayer
michael.thayer at oracle.com
Thu Nov 15 10:26:18 UTC 2018
Hello,
I have been following Flatpak for some time, given that we (VirtualBox)
maintain about twenty different builds for different Linux
distributions. Obviously Flatpak could potentially solve quite a big
problem for us, but there is a big catch: the main binaries in
VirtualBox run setuid root, and that is not something which is going to
change in the near future. So the question: could you conceive adding
an option to allow setuid root in a Flatpak? Clearly this is the same
as saying that for that Flatpak there is no security sandboxing, so the
user should be sure that they trust it. Which with VirtualBox there is
simply no way round, since we include kernel code.
I have also considered the possibility of providing a forked copy of
Flatpak in our RPMs and Debs which would re-use your runtimes, but
although that would probably let us reduce the number we build
significantly it would be horrible. And I know that if you did add this
option you would be getting certain people shouting that "Flatpak is not
secure because setuid binaries are setuid", or something on those lines.
And I also realise that there are probably not that many other desktop
applications which need setuid; but I expect that there are still a few
more.
Anyway, interested to hear what you have to say.
Thanks.
Regards
Michael
--
Michael Thayer | VirtualBox engineer
ORACLE Deutschland B.V. & Co. KG | Werkstr. 24 | D-71384 Weinstadt
ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstraße 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603
Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Nederland, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pEpkey.asc
Type: application/pgp-keys
Size: 2468 bytes
Desc: not available
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20181115/74b3e627/attachment.key>
More information about the Flatpak
mailing list