Can't install packages without sudo - no pkexec dialog box

K0-RR commented 2 years ago

Checklist

[X] I agree to follow the Code of Conduct that this project adheres to.
[X] I have searched the issue tracker for a bug that matches the one I want to file, without success.
[X] If this is an issue with a particular app, I have tried filing it in the appropriate issue tracker for the app (e.g. under https://github.com/flathub/) and determined that it is an issue with Flatpak itself.
[X] This issue is not a report of a security vulnerability (see here if you need to report a security issue).

Flatpak version

1.12.4

Linux distribution and version

Alt Linux Workstation 10.0 (Autolycus)

What architecture are you using?

x86_64

Actual Behavior

This is what I get when I don't use sudo

Error: Could not unmount revokefs-fuse filesystem at /var/tmp/flatpak-cache-MB1DH1/com.axosoft.GitKraken-IDEOH1: Failed to execute child process “fusermount” (Permission denied)
error: Failed to install com.axosoft.GitKraken: Could not unmount revokefs-fuse filesystem at /var/tmp/flatpak-cache-MB1DH1/com.axosoft.GitKraken-IDEOH1: Failed to execute child process “fusermount” (Permission denied)

Warning: Could not unmount revokefs-fuse filesystem at /var/tmp/flatpak-cache-MB1DH1/org.freedesktop.Platform.GL.default-BE1DH1: Failed to execute child process “fusermount” (Permission denied)
Warning: Could not unmount revokefs-fuse filesystem at /var/tmp/flatpak-cache-MB1DH1/org.freedesktop.Platform.Locale-JLKOH1: Failed to execute child process “fusermount” (Permission denied)
Warning: Could not unmount revokefs-fuse filesystem at /var/tmp/flatpak-cache-MB1DH1/org.freedesktop.Platform.VAAPI.Intel-41GFH1: Failed to execute child process “fusermount” (Permission denied)

smcv commented 2 years ago

Is the fusermount executable setuid root in your distribution?

Do FUSE filesystems like sshfs work on your system?

Are you using a LSM like SELinux or AppArmor, or another container environment?

I think the reason you are not getting a polkit prompt is that this is happening before you have done anything particularly privileged. Your unprivileged flatpak process needs to download the package, prepare the install transaction, then tell the flatpak-system-helper "please install this package that I have prepared for you", at which point flatpak-system-helper will ask polkit whether it should go ahead - but the unprivileged flatpak process is failing before it gets to that point, because it cannot unmount the temporary revokefs-fuse filesystem that it uses to do that setup.

K0-RR commented 2 years ago

Is the fusermount executable setuid root in your distribution?

I don't know but there is no such command as fusermount on my installation. When I do search for it apt shows packages like fuse and fuse3 that are already installed

Do FUSE filesystems like sshfs work on your system?

I have just installed fuse-sshfs

Are you using a LSM like SELinux or AppArmor, or another container environment?

Prob. not since it's not Fedora or Ubuntu

mwleeds commented 2 years ago

Post the output of stat /usr/bin/fusermount?

flatpak / flatpak