Warning: Flatpak system operation Deploy not allowed for user

nurmagoz · September 16, 2024, 5:18am

[workstation user ~]% flatpak install flathub org.keepassxc.KeePassXC 
Looking for matches…
Required runtime for org.keepassxc.KeePassXC/x86_64/stable (runtime/org.kde.Platform/x86_64/5.15-23.08) found in remote flathub
Do you want to install it? [Y/n]: y

org.keepassxc.KeePassXC permissions:
    ipc              network            pcsc                    ssh-auth
    wayland          x11                devices                 file access [1]
    dbus access [2]  bus ownership [3]  system dbus access [4]

    [1] /tmp, host, xdg-config/kdeglobals:ro, xdg-run/gvfs
    [2] com.canonical.AppMenu.Registrar, com.canonical.Unity.Session,
        ID                                         Branch            Op       Remote        Download
 1. [✗] org.freedesktop.Platform.GL.default        23.08             i        flathub        174.7 MB / 175.0 MB
 2. [✗] org.freedesktop.Platform.GL.default        23.08-extra       i        flathub        174.7 MB / 175.0 MB
 3. [✗] org.freedesktop.Platform.openh264          2.2.0             i        flathub        273.1 kB / 944.3 kB
 4. [✗] org.kde.Platform.Locale                    5.15-23.08        i        flathub         18.0 kB / 394.3 MB
 5. [✗] org.kde.Platform                           5.15-23.08        i        flathub        350.6 MB / 340.5 MB
 6. [ ] org.keepassxc.KeePassXC                    stable            i        flathub       < 21.0 MB

Warning: Flatpak system operation Deploy not allowed for user
Warning: Flatpak system operation Deploy not allowed for user
Warning: While downloading http://ciscobinary.openh264.org/libopenh264-2.2.0-linux64.6.so.bz2: While fetching http://ciscobinary.openh264.org/libopenh264-2.2.0-linux64.6.so.bz2: [6] Couldn't resolve host name
Warning: Flatpak system operation Deploy not allowed for user
Error: Flatpak system operation Deploy not allowed for user
error: Failed to install org.kde.Platform: Flatpak system operation Deploy not allowed for user
zsh: exit 1     flatpak install flathub org.keepassxc.KeePassXC
[workstation user ~]%

Can be related:

Note: flatpak repo need to be added as a system-wide as well.

Patrick · September 16, 2024, 5:25pm

I failed to reproduce this issue.

[workstation user ~]% flatpak install flathub org.keepassxc.KeePassXC

Looking for matches…
Required runtime for org.keepassxc.KeePassXC/x86_64/stable (runtime/org.kde.Platform/x86_64/5.15-23.08) found in remote flathub
Do you want to install it? [Y/n]: y

org.keepassxc.KeePassXC permissions:
    ipc                    network                pcsc                     ssh-auth                      wayland        x11        devices
    file access [1]        dbus access [2]        bus ownership [3]        system dbus access [4]

    [1] /tmp, host, xdg-config/kdeglobals:ro, xdg-run/gvfs
    [2] com.canonical.AppMenu.Registrar, com.canonical.Unity.Session, org.freedesktop.Notifications, org.freedesktop.ScreenSaver, org.gnome.ScreenSaver, org.gnome.SessionManager,
        org.gnome.SessionManager.Presence, org.kde.KGlobalSettings, org.kde.StatusNotifierWatcher, org.kde.kconfig.notify
    [3] org.freedesktop.secrets
    [4] org.freedesktop.login1


        ID                                             Branch                 Op            Remote             Download
 1. [✓] org.freedesktop.Platform.GL.default            23.08                  i             flathub            174.9 MB / 175.0 MB
 2. [✓] org.freedesktop.Platform.GL.default            23.08-extra            i             flathub             21.0 MB / 175.0 MB
 3. [✓] org.freedesktop.Platform.openh264              2.2.0                  i             flathub            887.2 kB / 944.3 kB
 4. [✓] org.kde.Platform.Locale                        5.15-23.08             i             flathub             18.0 kB / 394.3 MB
 5. [✓] org.kde.Platform                               5.15-23.08             i             flathub            369.5 MB / 340.5 MB
 6. [✓] org.keepassxc.KeePassXC                        stable                 i             flathub             18.8 MB / 21.0 MB

Installation complete.
[workstation user ~]%

Do you have special settings, testers-only features enabled?

nurmagoz · September 16, 2024, 5:53pm

root@host:~# systemctl status hide-hardware-info.service
○ hide-hardware-info.service - Hide hardware information to unprivileged users
     Loaded: loaded (/lib/systemd/system/hide-hardware-info.service; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: https://github.com/Kicksecure/security-misc
root@host:~# systemctl status proc-hidepid.service
○ proc-hidepid.service - Mounts /proc with hidepid=2
     Loaded: loaded (/lib/systemd/system/proc-hidepid.service; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: https://github.com/Kicksecure/security-misc
root@host:~# systemctl status harden-module-loading.service
○ harden-module-loading.service - Disable the loading of additional modules after systemd-modules-load.service
     Loaded: loaded (/lib/systemd/system/harden-module-loading.service; disabled; preset: disabled)
     Active: inactive (dead)
       Docs: https://github.com/Kicksecure/security-misc
root@host:~#

Nothing is active.

qubes-core-agent-passwordless-sudo is active on your side? if yes, please make sure to remove it from now on so you can adjust to whonix/kicksecure user isolation and how things going to work out.

Patrick · September 16, 2024, 6:45pm

No. That is still todo. (ticket: Qubes sudo / su / root Hardening - Development Discussion)

But it might have the potential to cause that issue.

In that case, the issue is likely also reproducible in Qubes Debian. Normally, I would say “tr to reproduce this issue with Qubes Debian and report to Debian”. But see this:

nurmagoz · September 19, 2024, 9:14am

Turned out to be that this is an expected behavior, as no root for user given and flatpak is asking to install new package on a system wide level, then the user need to have root rights. But since user is isolated from this permission, then we got this natural behavior.

Patrick · September 19, 2024, 10:57pm

Actually not Qubes specific as I originally thought. The same issue would happen on any system that comes with a limited user user Linux user account that does not have access to sudo / polkit.

[workstation user ~]% flatpak install

This can be confusing. The user might think, flatpak runs as user user, not as root because there was no use of sudo. But that’s a misconception.

Flatpak sets up polkit by default. For reference, the files that Flatpak installs by default are here:

/usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy
/usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules

So by running flatpak install, what actually approximately happens under the hood technically is sudo flatpak install.

But on a system with strong user isolation, sudo and polkit are not installed or otherwise deactivated.

Therefore the Flatpak system-wide command cannot be done from a user that has no way to get administrative rights at all (sudo or polkit).

The proper way to run flatpak install (system-wide installation command) would be doing so from a Linux user account admin that has access to sudo / polkit. Kicksecure, which Whonix is based on, suggest having a user user which is limited (no sudo / polkit) and a separate user admin.

A) run the command with user admin (or take a shortcut opening a Qubes root console as long as that is functional [1]); or
B) run flatpak --user in App Qube.

[1] Might break when Qubes ports to Wayland.

Patrick · September 19, 2024, 11:03pm

The wiki template that documents Flatpak installation has also been updated today. See the footnotes where more is explained about Flatpak system-wide versus per-user (--user).

https://www.kicksecure.com/wiki/Template:Flatpak_Install

Patrick · September 25, 2024, 4:42am

There is an issue with flathub repository enable system-wide versus per-user, see here: