Flatpaks can access any directory without permission?

Completely and utterly unrelated.

Moderators: raboof, MattKingUSA, khz

Post Reply
Death
Established Member
Posts: 372
Joined: Sun Oct 11, 2015 1:43 pm
Been thanked: 32 times

Flatpaks can access any directory without permission?

Post by Death »

Can someone help me clarify how Flatpak works?

I thought Flatpak sandboxed your programs so they couldn't access files or folders outside of the sandbox unless you specifically granted access to them via Flatseal or another method. So for this reason, I have decided to run the Flatpak version of Steam because I don't trust Steam enough and I certainly don't trust the games enough to have free roam on my system.

In my Steam directory there is a folder named 'compatdata'. This is where Steam creates WINE prefixes for the games. Inside these prefixes you will find another folder called 'dosdevices' which has links to all of the drives in my system, including the root directory. From there you can look at any file on any drive. I also find that in the 'steamuser' folder (which has the layout of the windows home folder equivalent) there are links to folders in my Linux home directory such as documents, downloads, music etc.

I also did a little test with the Flatpak version of Librewolf and found that I am able to use it to save files to directories outside of the sandbox which it supposedly does not have access to. All I have to do is select the directory with the file browser that pops up when I chose to download a file.

So what I'm wondering is; How were these links even created by Steam if it supposedly cannot see and does not have access to these directories!? Can Steam and games installed via Steam freely access them?

Cheers.

User avatar
Impostor
Established Member
Posts: 1337
Joined: Wed Aug 17, 2022 1:55 pm
Has thanked: 138 times
Been thanked: 346 times

Re: Flatpaks can access any directory without permission?

Post by Impostor »

I'm clueless about flatpak, but if sandboxing is your goal you could use firejail. It comes with default profiles for a lot of common programs (steam, firefox, etcetera) and you can add your own rules (for example blacklisting/whitelisting certain directories).

By the way, for linux native games on Steam, if you set their compatibility to Steam Linux Runtime, and add

Code: Select all

export PRESSURE_VESSEL_SHARE_HOME=0 

to ~/.profile (on Mint at least), then each of these games sees ~/.var/app/com.steampowered.gameid as the /home folder.

Doesn't work with all games, but saves a lot of clutter in your actual /home folder.

Death
Established Member
Posts: 372
Joined: Sun Oct 11, 2015 1:43 pm
Been thanked: 32 times

Re: Flatpaks can access any directory without permission?

Post by Death »

Yeh I know about Firejail but at the moment I want to use Flatpak.

Thanks for the tip. That shouldn't be necessary with the Flatpak version though as things are meant to be contained. But as far as I can tell, this doesn't seem to be a sandbox..

User avatar
Largos
Established Member
Posts: 617
Joined: Mon Oct 05, 2020 12:21 pm
Has thanked: 70 times
Been thanked: 179 times

Re: Flatpaks can access any directory without permission?

Post by Largos »

Flatpaks can have access to anything in your home directory structure but not your root structure.

Kirtai
Established Member
Posts: 48
Joined: Mon Jul 10, 2017 8:56 am
Has thanked: 52 times
Been thanked: 7 times

Re: Flatpaks can access any directory without permission?

Post by Kirtai »

The links in the wine folders are made by wine but don't necessarily work to give access. They point outside the sandbox but don't necessarily give access to what they point at.

For Librewolf, Flatpak supports "portals" which are a method by which the user can give access to a particular file or folder via the file browser. So it can only access its own files and the files you explicitly give it permission to via the file browser. Not all apps support them but ones that do can do this.

There's a tool in flatpak called FlatSeal that lets you see and manipulate the permissions of other flatpak apps. It's very useful.

otuva
Posts: 1
Joined: Thu Mar 02, 2023 9:57 am

Re: Flatpaks can access any directory without permission?

Post by otuva »

as @Kirtai said. They are symlinks and they do not necessarily give permissions. They look like they do because you are accessing them outside the bubble wrap. To see how they would look inside bubble wrap, you can execute the following command and enter inside the container. Change app name with the actual app name

Code: Select all

flatpak run --command=bash $APPNAME

If you didn't give permission to flatpak app to access your home directory, you will notice that contents are entirely different

Death
Established Member
Posts: 372
Joined: Sun Oct 11, 2015 1:43 pm
Been thanked: 32 times

Re: Flatpaks can access any directory without permission?

Post by Death »

Largos wrote: Wed Mar 01, 2023 8:36 pm

Flatpaks can have access to anything in your home directory structure but not your root structure.

That's only if I give them permission to do so, right?

Also, if I give a Flatpak access to a folder, can it then also access everything in all of the parent directories of that folder?; For example, if I give a Flatpak access to my Music folder which is located in Home, can it then also access everything else in Home, or is it just the Music folder I specified?

Kirtai wrote: Wed Mar 01, 2023 8:39 pm

The links in the wine folders are made by wine but don't necessarily work to give access. They point outside the sandbox but don't necessarily give access to what they point at.

For Librewolf, Flatpak supports "portals" which are a method by which the user can give access to a particular file or folder via the file browser. So it can only access its own files and the files you explicitly give it permission to via the file browser. Not all apps support them but ones that do can do this.

There's a tool in flatpak called FlatSeal that lets you see and manipulate the permissions of other flatpak apps. It's very useful.

I see! Well now I understand what portals are all about.. I do already use FlatSeal, btw :)

otuva wrote: Thu Mar 02, 2023 10:05 am

as @Kirtai said. They are symlinks and they do not necessarily give permissions. They look like they do because you are accessing them outside the bubble wrap. To see how they would look inside bubble wrap, you can execute the following command and enter inside the container. Change app name with the actual app name

Code: Select all

flatpak run --command=bash $APPNAME

If you didn't give permission to flatpak app to access your home directory, you will notice that contents are entirely different

Ok so I ran that command

Code: Select all

$ flatpak run --command=bash com.valvesoftware.Steam

and was then able to view & cd into all of the directories/devices within 'dosdevices' including root! I also tried making some shortcuts to stuff in my Home folder and put them in the 'steamuser' folder (as I'd already deleted previously existing shortcuts created by Steam) and was also able to browse them.

That command is a bit funny because it doesn't always let you access these things, but if you restart the terminal and try again it will work. But anyway, this seems to show that these Flatpaks can access whatever they want on your system even when you haven't granted access.

What do you guys make of this!?

Thanks for all the help ;)

User avatar
mike@overtonedsp
Established Member
Posts: 145
Joined: Mon Apr 24, 2017 5:26 pm
Location: Oxford, England
Been thanked: 55 times
Contact:

Re: Flatpaks can access any directory without permission?

Post by mike@overtonedsp »

I felt I had to reply to this thread when I noticed it was Steam related - and share a link to some games I created in my alter-ego as an occasional 8-bit retro game developer. What started out as a side-project during some unexpected free time back in 2020... In which I decided to refresh my Z80 assembler language skills, quickly grew out of control into a full ZX Spectrum emulation engine (for those not familiar, the ZX Spectrum was a home micro computer much beloved of us here in the UK back in the 1980s).

The games are free to download in demo mode, they're available as .tzx and .tap files which can be loaded into any suitable emulator (I recommend Fuse, for Linux users), audio files which can be loaded into original ZX machines for the truly authentic experience, or, as stand-alone applications (no emulator required) for Windows and Linux PCs - complete with a built-in CRT simulation including screen curvature, brightness, contrast controls etc and phosphor persistence for extra retro goodness. So, any Linux musicians who feel like taking a break from music to experience home computing in the 1980s can learn more at: www.vintagesoftwaresystems.co.uk

The demos are free, I have to charge a relatively small amount for the full versions to cover the cost of the site. They're stupidly addictive and great fun.

(Demos also include QR codes, so in a quite surreal turn of events its possible to buy the full version direct from a ZX Spectrum using a phone. If someone had told me that would be possible when I first encountered these machines 40 years ago it would have blown my tiny mind :) )

Death
Established Member
Posts: 372
Joined: Sun Oct 11, 2015 1:43 pm
Been thanked: 32 times

Re: Flatpaks can access any directory without permission?

Post by Death »

@mike@overtonedsp You didn't even attempt to make it look like you were trying to help.. :lol:

Post Reply