Why no permissions like Android or iOS?

There are two things here:

  • when you install a program by standard means (system installer such as apt/apt-get on Ubuntu) it is usually installed in some directory where it is available to all users (/usr/bin...). This directory requires privileges to be written to so you need special privileges during installation.

  • when you use the program, it runs with your user id and can only read or write where programs executed with your id are allowed to read or write. In the case of Gimp, you will discover for instance that you cannot edit standard resources such as brushes because they are in the shared /usr/share/gimp/ and that you have to copy them first. This also shows in Edit>Preferences>Folders where most folders come in pairs, a system one which is read-only and a user one that can be written to.


By installing a program on Ubuntu am I explicitly giving that program full permission to read/write anywhere on my drive and full access to the internet?

Yes, if you use sudo or the equivalent, you are giving the installer full permission to read/write anywhere on your drive. This is mostly the same thing. There is also a flag that the installer can set, called setuid, which will make the program have full permissions after install too.

Even if we ignore the installer and if the program is not setuid (it's very rare for programs to use setuid), when you run the program it has full access to anything your account can access. For example, if you're logged into your online banking, it could hypothetically send all your funds to Nigeria.

Why no permissions like Android or iOS?

The security model - that means the way the security system is designed - in Linux is very old. It's inherited from Unix, which dates back to the 1960s. Back then, there was no Internet, and most people in a department used the same computer. Most of your programs came from big companies that were trusted. So the security system was designed to protect users from each other, not to protect users from the programs they run.

Nowadays it is fairly outdated. Android is based on Linux, but it works by creating a separate "user account" for every app, instead of for every user. I don't know what iOS uses. Efforts like Flatpak are currently trying to bring the same sort of thing to the Linux desktop.


What you want is being provided by Flatpack apps. These are very much the equivalent of iOS, Android, or Windows Store apps.

I haven't used them so I don't know if they've implemented the GUI yet, to see the permissions required by each app when it is installed.

https://blogs.gnome.org/alexl/2017/01/20/the-flatpak-security-model-part-2-who-needs-sandboxing-anyway/

Every flatpak application contains a manifest, called metadata. This file describes the details of the application, like its identity (app-id) and what runtime it uses. It also lists the permissions that the application requires.

By default, once installed, an application gets all the permissions that it requested. However, you can override the permissions each time you call flatpak run or globally on a per-application basis by using flatpak override (see manpages for flatpak-run and flatpak-override for details). The handling of application permissions are currently somewhat hidden in the interface, but the long term plan is to show permissions during installation and make it easier to override them.

I also haven't used Ubuntu's alternative, Snappy, to know if it provides such a feature visible in the GUI.