I run Debian 13 with MATE. I recently switched from the distro release to the flatpak version of FreeCAD, as the distro release is of course a few versions behind. Bear with me, as I am very new to using Flatpak or anything other than normal apt packages.

I just noticed that FreeCAD announces it is running as super user in the window title bar.

The interesting part is it doesn’t ask for privilege escalation with password entry when I launch it.

Seeing as FreeCAD never ran as SU with the distro release installed via apt, and I don’t think the program does anything that really needs SU… As much as I trust FreeCAD, this seems like a security hole I’d rather not have.

Is the Flatpak version running inside it’s own “box” and it isn’t getting SU permissions across my whole system? Or what am I missing here.

  • kumi@feddit.onlineEnglish
    15·
    1 day ago

    Is the Flatpak version running inside it’s own “box” and it isn’t getting SU permissions across my whole system?

    Indeed it is running sandboxed!

    Same principle as running uid 0 inside a rootless container.

    You can poke around a shell inside the sandboxed environment with flatpak run --command=bash org.freecad.FreeCAD and tweak access with FlatSeal.

    • empireOfLove2@lemmy.dbzer0.comOPEnglish
      1·
      19 hours ago

      Neat! I see why people prefer flatpaks these days with keeping each install sandboxed.

      The uid 0 part I think is why it shows SU, based on IanTwenty’s comment. Apparently a longstanding bug in MATE.

      • kumi@feddit.onlineEnglish
        8·
        1 day ago

        Good question and without looking closer or verifying I’d guess it actually doesn’t.

        Usually such things happen because at some point someone had an issue with accessing a hardware device or something and this became the “fix” perhaps because udev was confusing.

        If someone cares enough about it, tidying up loose flatpak packaging ends like that is often appreciated and a great way to contribute.

        • boredsquirrel (he)@slrpnk.net
          1·
          19 hours ago

          Well, but Flatpak also has the rule to not break anything by default.

          And they call things like changing filesystem=host to the specific directories (home, run, mnt) “security theatre” and prefer waiting forever for legacy apps to magically fix it

        • Mihies@programming.dev
          2·
          1 day ago

          I wonder where it was installed from (flathub?) and whether it has something to do with the linux version. Since at least two of us don’t see a superuser notification (turdas and me) but we are both on Fedora.

          • empireOfLove2@lemmy.dbzer0.comOPEnglish
            1·
            19 hours ago

            Yes I installed it from Flathub. IanTwenty’s comment says it is a longstanding bug with the MATE environment I am using, where flatpak’s running as a sandboxes process user ID show up as SU in the title bar when they actually aren’t.

  • turdas@suppo.fi
    9·
    1 day ago

    fwiw it doesn’t say this on my Fedora system when I run FreeCAD via Flatpak.