Closed adrelanos closed 8 months ago
This is not specific to Qusal. However, I did some tests for compatibility:
% flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
==== AUTHENTICATING FOR org.freedesktop.Flatpak.configure-remote ====
Authentication is required to configure software repositories
Authenticating as: root
Info: /usr/libexec/security-misc/pam-abort-on-locked-password: INFO: Password for user "root" is locked.
Info: /usr/libexec/security-misc/pam-abort-on-locked-password: ERROR: root account is locked by default. See:
Info: https://www.kicksecure.com/wiki/root
Info:
Error: /usr/libexec/security-misc/pam-abort-on-locked-password failed: exit code 4
polkit-agent-helper-1: pam_authenticate failed: System error
==== AUTHENTICATION FAILED ====
error: Flatpak system operation ConfigureRemote not allowed for user
zsh: exit 1 flatpak remote-add --if-not-exists flathub
This output seems to come from pkexec, it flashes on the screen, to see it correctly use:
flatpak --verbose --ostree-verbose
After log in as root (rebooting and not rebooting does not make a difference:
chage --expiredate -1 root
passwd root
Resulted in:
% flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
==== AUTHENTICATING FOR org.freedesktop.Flatpak.configure-remote ====
Authentication is required to configure software repositories
Authenticating as: root
polkit-agent-helper-1: pam_authenticate failed: Permission denied
==== AUTHENTICATION FAILED ====
error: Flatpak system operation ConfigureRemote not allowed for user
zsh: exit 1 flatpak remote-add --if-not-exists flathub
Not caused by hide-hardware-info
or hidepid
:
# systemctl is-active proc-hidepid
inactive
# systemctl is-active hide-hardware-info
inactive
If I add qubes-core-agent-passwordless-root
, it works.
I did not enabled any of the services know to be broken in Qubes, just what is available in my default install plust the following packages were necessary:
And to make it work:
Without what, any sudo oper
That was a worthwhile test but also a different and the wrong test.
The flatpak command in my original post is supposed to be run as user, not root. hide-hardware-info or hidepid are more likely to cause issues when running commands from an account other than root. (Which doesn't mean, login as root is the solution. That is also discouraged.)
Being unable to run pkexec enabled applications even if being root seems to be a separate bug. Is that a Debian Qubes Template specific bug or only happening in Kicksecure?
Or is it a bug to (encourage, document to) login, running a shell as root? I would also say this is an unclean way, not best practice, and likely incompatible with the future (Wayland).
The flatpak command in my original post is supposed to be run as user, not root. hide-hardware-info or hidepid are more likely to cause issues when running commands from an account other than root. (Which doesn't mean, login as root is the solution. That is also discouraged.)
Flatpak was run as user. The strace had to be run as root.
Being unable to run pkexec enabled applications even if being root seems to be a separate bug. Is that a Debian Qubes Template specific bug or only happening in Kicksecure?
Works as root, tested in Qubes Kicksecure.
Or is it a bug to (encourage, document to) login, running a shell as root? I would also say this is an unclean way, not best practice, and likely incompatible with the future (Wayland).
Compatibility related, answered in my first paragraph.
This command might be broken:
Reference: https://forums.whonix.org/t/permission-denied-with-flatpak-sys-block/15781/3