When installing a flatpak that will be installed globally anyone in the sudo group can install a flatpak without sudo.
Is there a way to either edit the polkit rules that are installed by flatpak to allow this or to just remove it altogether so that any time you try to install a global flatpak you will be prompted for a password using both the CLI and the Software Store (in my case KDE Discover)?
By default, flatpak polkit rules do not require a password. You can however set up rules to require one.
policykit < 0.106)Create a new file named flatpak‑sudo‑always‑password.pkla in /etc/polkit‑1/localauthority/50‑local.d/
[Install Flatpak apps and runtimes]
Identity=unix-group:sudo
Action=org.freedesktop.Flatpak.app-install;org.freedesktop.Flatpak.runtime-install;org.freedesktop.Flatpak.app-uninstall;org.freedesktop.Flatpak.runtime-uninstall;
ResultActive=auth_admin
policykit >= 0.106Create a new file named 01‑flatpak‑sudo‑always‑password.rules in /etc/polkit‑1/rules.d/
polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.Flatpak.app-install" ||
action.id == "org.freedesktop.Flatpak.runtime-install"||
action.id == "org.freedesktop.Flatpak.app-uninstall" ||
action.id == "org.freedesktop.Flatpak.runtime-uninstall") &&
subject.active == true && subject.local == true &&
subject.isInGroup("sudo")) {
return polkit.Result.AUTH_ADMIN;
}
return polkit.Result.NOT_HANDLED;
});
These are direct reversions of the policykit rules which flatpak installs.
The org.freedesktop.Flatpak.modify-repo permission was removed (enabled for all users by default), org.freedesktop.Flatpak.override-parental-controls was removed (not applicable), and the returned policykit authorization type changed from yes back to auth_admin. (polkit manual on auth types)
The .rules file was made by flatpak, and the .pkla file by Debian, based on flatpak's .rules file. Debian is not upgrading policykit beyond 0.105 for now, so they backported the .rules to the old system.
Original .rules file - - - Original .pkla file
You may want to consider using auth_admin_keep instead, if you don't want to be asked for your password for each flatpak and each runtime in one command.
