-
-
Notifications
You must be signed in to change notification settings - Fork 390
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Modify make install
to setuid flatpak-bwrap
if needed?
#503
Comments
We should never make something setuid without the user being aware of this. We already have options --with-priv-mode=setuid to make the app setuid, and --enable-sudo to do that via sudo. Also, its a good idea in general to assume you can run things in the build. For instance, this breaks when cross-compiling, or when building for a distribution where you enable the setuid bit in the packaging, not during installation. |
We could perhaps document this better though. |
Background:
If a user builds Flatpak from source, and doesn't already have Bubblewrap installed, and doesn't want to install Bubblewrap for any use other than Flatpak, then the Flatpak build builds Bubblewrap.
On some OSes, the
bwrap
binary needs to be setuid.If Bubblewrap was built as part of Flatpak, then the Bubblewrap build installs
/usr/local/libexec/flatpak-bwrap
, whereas if Bubblewrap is built standalone, then its build installs/usr/local/bin/bwrap
.In the Flatpak case, the user may have trouble discovering that the binary that needs to be setuid is
/usr/local/libexec/flatpak-bwrap
.Suggestion:
Have Flatpak's
make install
try to run Bubblewrap, and if Bubblewrap prints an error message containing the wordsetuid
, thenchmod u+s
the Bubblewrap binary.It might also be advisable to try again to run Bubblewrap, and if an error message is still generated, then exit
make install
with an error code.The text was updated successfully, but these errors were encountered: