Hi. On Wed, 25 Dec 2013 12:08:01 +0900 Joel Rees <joel.r...@gmail.com> wrote:
> On Tue, Dec 24, 2013 at 9:42 PM, Reco <recovery...@gmail.com> wrote: > > Hi. > > > > On Tue, 24 Dec 2013 13:29:28 +0100 > > Ralf Mardorf <ralf.mard...@alice-dsl.net> wrote: > > > >> This would lead to "Error: cannot open display: :0.0". > >> Sure, $ xhost +; sudo -u [...] does the trick, > > > > No, if you do it smart way, such as (in .xsessionrc): > > > > xauth extract - $DISPLAY | sudo -u user1 -- sh -c \ > > "cat -> /home/user1/.Xauthority" > > xauth extract - $DISPLAY | sudo -u user2 -- sh -c \ > > "cat -> /home/user1/.Xauthority" > > > > And configure sudo to keep $DISPLAY. > > [...] > > I'm using "xhost" to do something similar, maybe the same thing? I > described it a couple of years ago: > > http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html > > I'd be interested in comments. Result is definitely the same, although I'd use xhost +si:localuser:${1} instead of xhost local:${1} Not there is much difference about it, given that Debian (or Fedora, or any major distribution for that matter) does not ship XSECURITY extension for a long time. And I'd use sudo -H -u ${1} /usr/bin/firefox $2 instead of sudo -H -u ${1} firefox $2 because: a) Without -H sudo can keep $HOME, which will force firefox to search it's profile in the different user's home (kinda beats the purpose of sandbox, isn't it?). b) That sneaky sandbox user can override firefox with something like /home/user9-boxed/bin/firefox, which is bad. What I'm curious about, is that you did not have to permit sudo to keep $DISPLAY environment variable. Is it something that Fedora allows by default? Because Debian surely does not (env_reset by default). Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131225101505.a913d65d212d52505052d...@gmail.com
