flatpak and filesystem ownership


New Member
Feb 5, 2023
Reaction score
Would you consider a system less secure if the filesystem, starting with /, is owned by the same (non-root) user that owns the processes running in that OS? Probably. But, would you consider the system within a namespace sandbox, such as the one employed by flatpak, to be much less secure if the user that owns the application process also owns /?

That is how flatpak sets up its internal mount-namespace-based filesystem, which is configured using bubblewrap (bwrap). The user that launches the flatpak'ed app will own / within the flatpak sandbox. For example, the symlinks /bin and /lib are writable. A user-owned process within the sandbox can replace /bin and /lib.

I discussed this with the bubblewrap developers (who are also flatpak developers), and although they agreed that /bin and /lib are user-writable, they do not think that this is a problem. I also communicated with the Mozilla developers that are responsible for the security of flatpak'ed Firefox, and they also do not think that this is a problem.

Note that this can be fixed with a simple change to the bubblewrap configuration used by flatpak that is (nearly always) transparent to the flatpak'ed application. I mentioned that when corresponding with the bubblewrap developers and Mozilla.

I think this is a problem because it would allow a moderately compromised application running within flatpak to become completely compromised. I consider this a type of privilege escalation: from writing user-owned files to forcing execution of malware (by replacing /lib). Even though this occurs within a sandbox, it could compromise user data and privacy, consume resources, etc..

Are there any opinions about this? Do you think this is a problem?

Members online