Closed ids1024 closed 4 years ago
Fedora Media Write (available as a Flatpak) seems to use Polkit to request permission to write to the disk. Though it uses a confusing prompt (https://github.com/FedoraQt/MediaWriter/issues/119), and if we used a similar method, we would presumably need a prompt for each device we want to flash.
The CLI currently has machine-readable output when its output is piped, so it wouldn't be too difficult today to change the GTK UI to simply parse these events as a stream. I already have a decoder here https://github.com/pop-os/popsicle/blob/master/src/codec.rs
Taking another look, it seems UDisks2 has an appropriate API that didn't exist when Fedora Media Write was create. I've sent them a PR: https://github.com/FedoraQt/MediaWriter/pull/260.
Using a polkit based solution like this seems like the "right way" to do it. It does have the consequence that it would prompt seperately for each device. I suppose we don't want that?
Since we probably just want one prompt, even when flashing multiple device, I suppose wrapping something like pkexec popsicle
should work (which I guess is basically the previous plan).
I guess this isn't too bad, because popsicle-gtk
actually spawns another thread to run privileged tasks and switches the rest of the program to the uid/gid that called sudo/pkexec. But this is kind of an awkward solution, that seems like it can lead to somewhat odd behavior, and isn't the best practice.
So we want something that's a bit more secure, and something that works in Flatpak (https://github.com/pop-os/popsicle/issues/93).
Possibilities:
pkexec popsicle
. This is a generally good solution, but as far as I'm aware can't work in Flatpak.popsicle --udisks2
(or similar), and have that argument make the CLI use UDisks2 to open the drive.If we're happy always using UDisks2 to open drives, 2 is a good solution. Otherwise, perhaps implement both 3 and 4.
Using UDisks2 would be fine if that's what it takes to support running Popsicle in a sandbox.
The
.desktop
file callspopsicle-pkexec
, which executespkexec /usr/bin/popsicle-gtk
. This runs the GUI code as root.This isn't a huge issue; in theory it should be secure, and GTK seems to handle it fairly gracefully, with the program using the same GTK theme as the running user, etc. But I think this would generally be discouraged, though I can't find a quote from upstream Gnome/GTK specifically saying that.
I suppose the proper solution would be to spawn another process, given root access through polkit, that is seperate from the GUI. It could be a wrapper around he current CLI, perhaps.