Pin the gnome-shell appindicator extension to a specific ubuntu upstream
commit and download an immutable tarball URL. Verify the downloaded
archive's SHA-256 (refuse to proceed if sha256sum/shasum is missing or
the checksum mismatches) and only extract when verification succeeds.
Add quoting for $username in sudo/mkdir invocations and preserve the
staging/copy workflow for user-owned extension installation. For the
InstallRemoteExtension flow on other distros, add a 90s polling timeout
when waiting for metadata.json and surface an error on timeout to avoid
hanging indefinitely.
This pull request addresses a startup issue with Fleet Desktop on
openSUSE Leap 16 and similar Linux distributions. The main change is to
adjust how Fleet Desktop and key-escrow dialogs are launched to avoid
environment variable loss caused by login shell profile scripts. The fix
is scoped specifically to openSUSE Leap 16+ to avoid impacting other
distributions.
**Distribution-specific sudo invocation changes:**
* The `-i` (login shell) flag is now omitted from the `sudo` command
when launching Fleet Desktop and key-escrow dialogs on openSUSE Leap 16
and newer, preventing environment variables from being lost due to
profile script interference.
[[1]](diffhunk://#diff-633ab361af6795ef458233819e2806dfba4ca56f684866d956321825b8fd2e91R1)
[[2]](diffhunk://#diff-3e8315d9f12512bce490457c5d20bd7c5aebaa2a8e18b1abf50e504815dd7a9dR178-R193)
* For all other supported distributions, the previous behavior (using
`-i`) is preserved to maintain compatibility and avoid unnecessary
re-testing.
**Detection logic:**
* Introduced a new helper function `isOpenSUSELeap16Plus` in
`execuser_linux.go` to detect if the host is running openSUSE Leap 16 or
newer by parsing `/etc/os-release`. This ensures the workaround is only
applied where necessary.
---
**Related issue:** N/A — surfaced via field investigation on openSUSE
Leap 16 (arm64).
This PR addresses two distinct issues that together prevent Fleet
Desktop from working on openSUSE Leap 16, both validated end-to-end on a
real Leap 16 (arm64) host.
## 1. Launch reliability — drop `sudo -i`
`orbit/pkg/execuser/execuser_linux.go`
On Linux, Orbit launches Fleet Desktop with:
```
sudo -n -i -u <user> -H env WAYLAND_DISPLAY=… … FLEET_DESKTOP_DEVICE_IDENTIFIER_PATH=/opt/orbit/identifier … /…/fleet-desktop
```
The `-i` flag makes sudo "simulate initial login" — it runs the target
user's shell as a login shell and wraps the rest of the command in `bash
--login -c '<escaped>'`. That sources `/etc/profile` and every script in
`/etc/profile.d/*` before our `env KEY=val … fleet-desktop` line runs,
and shell metacharacters (`=`, `:`, `/`, `.`) get backslash-escaped
through the shell layer.
On **openSUSE Leap 16 (arm64)**, that indirection causes the inline
env-var assignments to not reach `fleet-desktop`, which exits
immediately with:
```
FTL missing URL environment FLEET_DESKTOP_DEVICE_IDENTIFIER_PATH
```
Orbit then respawns it every ~15 s in a tight kill-and-respawn loop, so
the tray icon never appears.
**Fix:** drop `-i` from the sudo invocation. We don't need a login
shell:
- `-H` already sets `HOME` to the target user.
- sudo's default `env_reset` sets `USER` / `LOGNAME` / `SHELL` / `MAIL`
and `PATH` to `secure_path`.
- All session vars (`WAYLAND_DISPLAY`, `DISPLAY`,
`DBUS_SESSION_BUS_ADDRESS`, `LD_LIBRARY_PATH`) and every
`FLEET_DESKTOP_*` var are already passed explicitly via `env KEY=val …`.
After the change, sudo `execve()`s `env` directly with no shell layer in
between, so `/etc/profile.d` sourcing and shell-escaping are out of the
picture.
The `runuser -l` /proc/keys-leak regression from PR #32309 does not
apply — that was specific to `runuser -l` creating session keyrings;
sudo without `-i` doesn't.
# Checklist for submitter
- [x] Changes file added:
`orbit/changes/fleet-desktop-linux-no-login-shell`
- [x] Input data is properly validated; untrusted data interpolated into
shell scripts/commands is validated against shell metacharacters.
- [x] Timeouts are implemented and retries are limited to avoid infinite
loops (script's wait loop now bounded at 90s).
- [x] If paths of existing endpoints are modified without backwards
compatibility, checked the frontend/CLI for any necessary changes — N/A.
## Testing
Manual QA needed before merge:
- [x] **openSUSE Leap 16 (arm64)** — Fleet Desktop process starts, stays
running, env vars present, no FTL respawn loop. Done via `sudo` shim.
- [x] **openSUSE Leap 16 (arm64) — extension fallback** — manual tarball
install + schema compilation produces a working tray icon (matching what
the script automates).
- [ ] **Ubuntu 22.04 / 24.04** — regression check: Fleet Desktop tray
icon still appears, key-escrow zenity dialog still renders, AppIndicator
script still installs via the official path.
- [ ] **Fedora (recent)** — regression check: same as above.
- [ ] **Debian** — regression check: same as above.
- [ ] **openSUSE Tumbleweed** — confirm `InstallRemoteExtension` path
still works (no fallback path triggered).
## fleetd/orbit/Fleet Desktop
- [x] Verified compatibility with the latest released version of Fleet —
pure launch-flag change plus a script update; no protocol or schema
impact.
- [x] If the change applies to only one platform, confirmed that
`runtime.GOOS` is used as needed to isolate changes — Go change is in
`execuser_linux.go`, only built on Linux. The script is Linux-only by
construction.
- [ ] Verified that fleetd runs on macOS, Linux and Windows — Linux
re-verification pending QA above; macOS/Windows code paths unchanged.
- [ ] Verified auto-update works from the released version of component
to the new version.
## Notes for reviewers
- The tray-icon visibility issue is an OS-side prerequisite (GNOME 3.26+
has no native tray), so the AppIndicator extension is required
regardless. Even after installing it, Wayland requires a logout/login to
pick up new extensions — this is documented behavior and not specific to
the fallback path.
Add multiple endpoint security policies and telemetry reports and wire
them into the workstations fleet manifest. New macOS policies: firewall,
Gatekeeper, SIP (critical), Remote Login disabled, screen-lock
inactivity, and local-admin count; new Windows policies: Secure Boot,
Remote Desktop disabled, interactive screen-lock timeout; new Linux
policy: sshd PermitRootLogin restriction. Added cross-platform reports
for disk encryption (includes BitLocker), local user/admin inventory,
USB devices, listening ports, and Chromium-family browser extensions.
These changes improve compliance and detection coverage (SOC2/ISO
mappings included) and enable more comprehensive fleet monitoring.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **New Features**
* Added device compliance checks: macOS firewall, Gatekeeper, SIP, local
admin count, Windows Secure Boot, and Linux SSH root-login restriction
* Disabled high-risk remote access: macOS Remote Login and Windows
Remote Desktop checks
* Added screen-lock inactivity checks for macOS and Windows
* New inventory reports: local user accounts, connected USB devices,
open listening ports, and browser extensions (Safari, Firefox,
Chromium-family)
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
Add Slack logo asset and update Linux package manifests to use the new
release. Adds it-and-security/lib/all/icons/slack-logo.png and updates
slack-deb.yml and slack-rpm.yml to bump the Slack desktop version to
4.49.81 and include an icon.path reference.
## Summary
- Adds cross-platform disk space check policies (macOS, Windows, Linux)
scoped to the workstations team
- Each policy calculates the percentage of available disk space relative
to total disk space and **fails when available disk space is 10% or
less**
- macOS/Linux policies query the `mounts` table for the root partition
(`/`); Windows policy queries the `logical_drives` table for NTFS drives
- Resolution contact channel is `#help-it`
### New files
- `it-and-security/lib/macos/policies/disk-space-check.yml`
- `it-and-security/lib/windows/policies/disk-space-check.yml`
- `it-and-security/lib/linux/policies/disk-space-check.yml`
### Modified files
- `it-and-security/teams/workstations.yml` — registers the three new
policies
### How it works
| Platform | Query logic |
|---|---|
| macOS | `SELECT 1 FROM mounts WHERE path = '/' AND
CAST(blocks_available AS REAL) / blocks > 0.10` |
| Linux | `SELECT 1 FROM mounts WHERE path = '/' AND
CAST(blocks_available AS REAL) / blocks > 0.10` |
| Windows | `SELECT 1 WHERE (SELECT CAST(SUM(free_space) AS REAL) /
SUM(size) FROM logical_drives WHERE file_system = 'NTFS') > 0.10` |
- **Pass (returns rows):** available disk space is more than 10%
- **Fail (returns no rows):** available disk space is 10% or less
### Why >10% free disk space matters
Each policy description now includes context on why maintaining
sufficient free disk space is important:
- **System stability:** Low disk space can cause system instability,
slowdowns, and crashes
- **OS requirements:** Operating systems need free space for virtual
memory/swap, temporary files, and system updates
- **Application reliability:** Applications may fail to save data or
function properly when disk space is critically low
- **Data protection:** Keeping sufficient free space ensures reliable
performance and prevents data loss
Built for [Allen
Houchins](https://fleetdm.slack.com/archives/D0AFASNBZMW/p1772934328893319?thread_ts=1772933835.386689&cid=D0AFASNBZMW)
by [Kilo for Slack](https://kilo.ai/features/slack-integration)
---------
Co-authored-by: kiloconnect[bot] <240665456+kiloconnect[bot]@users.noreply.github.com>
This pull request makes minor improvements to the software metadata for
Linux and Windows installers, and updates messaging in a MacOS
configuration profile. The main changes are the addition of display
names for several software packages and a small wording update in the
MacOS profile.
Software metadata improvements:
* Added the `display_name` field for 1Password, Slack, and Zoom
installers in both `.deb` and `.rpm` formats for Linux, improving
clarity in software listings.
[[1]](diffhunk://#diff-74a6b317e1363bc4c856fc04b9532876ec6fbdaec1ae7745bc7ec00c164b5ee8R2)
[[2]](diffhunk://#diff-a09b19aa20a36257dba104b182ec182a175198bf2b83b4c27bbe5b34e3f86a9cR2)
[[3]](diffhunk://#diff-63cf9bff568593d4d6681597dc69b3c3741cbd53197cfa8056e66a8ce6aa65a3R2)
[[4]](diffhunk://#diff-1c76fa28d50f586e4d7090a954db56d9235cdea759e8a613d2c5fb0ccdf28fdfR2)
[[5]](diffhunk://#diff-d3b614ed0d7209d14d8f70170e4326d56e660fdb87ed585674be14c344a59d7fR2)
[[6]](diffhunk://#diff-c5be3430c846b9b69a3d47f0157b0d1707a61dac731d823e38adbf78de4f5ebeR2)
* Added the `display_name` field for Zoom installers for Windows
(`zoom-arm.yml` and `zoom.yml`), making software identification easier.
[[1]](diffhunk://#diff-3f6d972edfe5bd7590c0cd9ffc76a416401410a4b6143e4d6b2d6a0f8efa83b5R2)
[[2]](diffhunk://#diff-2ea34a1db8efdb13d238a064e9bd2e0ba1e4565aba849549e6182fcbe38cd388R2)
MacOS configuration profile update:
* Updated the `subHeader` in the `nudge-configuration.mobileconfig` file
to reference the "IT team" instead of "IT & Enablement team," clarifying
the responsible group in user notifications.
Add 1Password Linux package manifests (deb & rpm), update Slack Linux
download URLs to the generic download endpoints, and bump Zoom Linux
package URLs to a newer build (6.7.5.6891). Also add a display_name for
macOS Zoom and register the new Linux 1Password entries in the
workstations software list; remove several redundant display_name fields
in workstations.yml to avoid duplication. Files changed:
it-and-security/lib/linux/software/{1password-deb.yml,1password-rpm.yml,slack-deb.yml,slack-rpm.yml,zoom-deb.yml,zoom-rpm.yml},
it-and-security/lib/macos/software/zoom.yml, and
it-and-security/teams/workstations.yml.
For #36619. Zed + Opus 4.5, prompt was just "fix
https://github.com/fleetdm/fleet/issues/36619"
<!-- Add the related story/sub-task/bug number, like Resolves#123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
No changes file as this isn't in a Fleet release.
## Testing
- [ ] QA'd all new/changed functionality manually
---------
Co-authored-by: Allen Houchins <allenhouchins@mac.com>
I tested the uninstall script by:
- Making a new agent package and installing it
- Checking with `dpkg --get-selections | grep 'fleet'` that
fleet-osquery is installed
- Checking with `sudo systemctl list-units | grep 'orbit'` that
orbit.service is running
- Uninstalling the package with uninstall-fleetd-linux.sh
- Checking the above commands again to see that fleet-osquery and
orbit.service are uninstalled.
# Checklist for submitter
If some of the following don't apply, delete the relevant line.
<!-- Note that API documentation changes are now addressed by the
product design team. -->
- [x] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files)
for more information.
- For Orbit and Fleet Desktop changes:
- [x] Manual QA done on one Linux machine (Ubuntu 24 on HP laptop).
- updated the script and policy names to reflect naming convention and
look better in Fleet Desktop
- removed script from Servers (canary); since Fleet Desktop is not
enabled on Servers, it leads to awkward conversations when demo'ing with
customers.
For #20675 and #25977.
- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [x] A detailed QA plan exists on the associated ticket (if it isn't
there, work with the product group's QA engineer to add it)
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [X] Make sure fleetd is compatible with the latest released version of
Fleet (see [Must
rule](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/fleetd-development-and-release-strategy.md)).
- [X] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [X] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).
- Move duplicate scripts out of `scripts/mdm/` and into
`it-and-security/` so we have one version that we can continue to
iterate and improve.
- Remove no longer used scripts out of `scripts/mdm/`
---------
Co-authored-by: Lucas Manuel Rodriguez <lucas@fleetdm.com>
- Fixed patch logic and updated version strings in Firefox and Slack
policies: fleetdm/confidential#9389
- Implemented custom target scoping for Linux software:
fleetdm/confidential#9348
- Updated and consolidated macOS latest operating system check policy
- Copied policies from "💻🐣 Workstations (canary)" to "💻 Workstations"
team
