this post was submitted on 07 Jan 2026

35 points (97.3% liked)

Linux

11210 readers

1396 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago

MODERATORS

Ategon@programming.dev

anzo@programming.dev

dwraf_of_ignorance@programming.dev

Flatpak program (FreeCAD) running itself as superuser? (lemmy.dbzer0.com)

submitted 2 weeks ago by empireOfLove2@lemmy.dbzer0.com to c/linux@programming.dev

15 comments fedilink hide all child comments

I run Debian 13 with MATE. I recently switched from the distro release to the flatpak version of FreeCAD, as the distro release is of course a few versions behind. Bear with me, as I am very new to using Flatpak or anything other than normal apt packages.

I just noticed that FreeCAD announces it is running as super user in the window title bar.

The interesting part is it doesn't ask for privilege escalation with password entry when I launch it.

Seeing as FreeCAD never ran as SU with the distro release installed via apt, and I don't think the program does anything that really needs SU... As much as I trust FreeCAD, this seems like a security hole I'd rather not have.

Is the Flatpak version running inside it's own "box" and it isn't getting SU permissions across my whole system? Or what am I missing here.

top 15 comments

sorted by: hot top controversial new old

[–] IanTwenty@piefed.social 19 points 2 weeks ago (2 children)

Looks like this long-standing issue affecting all flatpaks run under MATE/marco:

https://github.com/mate-desktop/marco/issues/301

Applications launched under Firejail and Flatpak include "(as superuser)" in their window's title even though they're not actually being ran as root.

[–] boredsquirrel@slrpnk.net 2 points 2 weeks ago

Likely because of user namespace access

[–] empireOfLove2@lemmy.dbzer0.com 2 points 2 weeks ago

Ah okay. And makes sense seeing as it does not ask for escalation at launch. I probably won't worry about it then. Thanks!!

[–] kumi@feddit.online 15 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

Is the Flatpak version running inside it’s own “box” and it isn’t getting SU permissions across my whole system?

Indeed it is running sandboxed!

Same principle as running uid 0 inside a rootless container.

You can poke around a shell inside the sandboxed environment with flatpak run --command=bash org.freecad.FreeCAD and tweak access with FlatSeal.

[–] Mihies@programming.dev 4 points 2 weeks ago (1 children)

Even if sandboxed, why would it need su permissions?

[–] kumi@feddit.online 8 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

Good question and without looking closer or verifying I'd guess it actually doesn't.

Usually such things happen because at some point someone had an issue with accessing a hardware device or something and this became the "fix" perhaps because udev was confusing.

If someone cares enough about it, tidying up loose flatpak packaging ends like that is often appreciated and a great way to contribute.

[–] Mihies@programming.dev 2 points 2 weeks ago (1 children)

I wonder where it was installed from (flathub?) and whether it has something to do with the linux version. Since at least two of us don't see a superuser notification (turdas and me) but we are both on Fedora.

[–] empireOfLove2@lemmy.dbzer0.com 1 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Yes I installed it from Flathub. IanTwenty's comment says it is a longstanding bug with the MATE environment I am using, where flatpak's running as a sandboxes process user ID show up as SU in the title bar when they actually aren't.

[–] Mihies@programming.dev 2 points 2 weeks ago

Thanks, that makes sense. All good I guess.

[–] boredsquirrel@slrpnk.net 1 points 2 weeks ago

Well, but Flatpak also has the rule to not break anything by default.

And they call things like changing filesystem=host to the specific directories (home, run, mnt) "security theatre" and prefer waiting forever for legacy apps to magically fix it

[–] empireOfLove2@lemmy.dbzer0.com 1 points 2 weeks ago

Neat! I see why people prefer flatpaks these days with keeping each install sandboxed.

The uid 0 part I think is why it shows SU, based on IanTwenty's comment. Apparently a longstanding bug in MATE.

[–] turdas@suppo.fi 9 points 2 weeks ago (2 children)

fwiw it doesn't say this on my Fedora system when I run FreeCAD via Flatpak.

[–] Mihies@programming.dev 2 points 2 weeks ago

#metoo

[–] kumi@feddit.online 1 points 2 weeks ago

ruh-roh

[–] deegeese@sopuli.xyz 4 points 2 weeks ago

What does ps -A show as the user running FreeCAD?