Description
While working on ostreedev/ostree#908, I realized that flatpak's system helper could write root-owned suid binaries.
Breaking #837 out into an issue, since I think we need to do more design.
A basic problem here is we have 2 separate cases to handle:
- Flatpak default of
/var/lib/flatpak/repo(currentlybare-user) - Endless OS case of
/ostree/repo(i.e.bare)
/var case
In the original PR I was thinking of the /var/flatpak case. For that, we have two sub-options:
- Land fixups for
bare-userto suppress all this - Convert to
bare-user-only
Either way, I think we're going to need some sort of "repository format change" mechanism. Doing a local pull between bare-user and bare-user-only unfortunately will require duplicating all of the content right now...but, possibly we could teach ostree that it's fine to hardlink file content between them, and just delete all the user.ostreemeta xattrs after?
System case
Something like OSTREE_REPO_PULL_FLAGS_BAREUSERONLY_PERMS to ostree_repo_pull()? We'd error out on finding world-writable/setuid files. Also, we add a bareuser_perms flag to ostree_repo_checkout() which does the same thing as ostreedev/ostree#914 but for the bare case?