![]() Where is this file? Does it reside in /tmp? Essentially, this just copies the X cookies to the unprivileged user.īut the browser would probably need access to the run socket dir, it's usually 700 permissions There is a "sux" script which does this, and I have written the more convient "sudox" for it. Of course, under X I have to grant this user full access to my X session. I have a separate browser-user with less privileges than my normal user. Last edited by mike155 on Sun 1:57 pm edited 1 time in total I can live with that, but it might be a problem in some cases. Ego doesn't revoke the ACLs when the guest process finishes (see: issue 55). usr/local/bin/ego -sudo -u guestuser MOZ_ENABLE_WAYLAND=1 firefoxĮgo uses ACLs to make the Wayland socket accessible to the guest user. It seems to work! The command below changes the user id using sudo and starts Firefox in Wayland mode. This is done using filesystem ACLs and xhost command.ĮDIT: I just installed ego and gave it a try. You may think of it as xhost for Wayland and PulseAudio. Currently integrates with Wayland, Xorg, PulseAudio and xdg-desktop-portal. Not sure about the uid browser thing, not sure that seatd even cares.īut the browser would probably need access to the run socket dir, it's usually 700 permissions.Įdit to add: running sudo -u on the low priority user browser might work, you'd have to pass some env vars.Įgo is a tool to run Linux desktop applications under a different local user. I don't know if this will work any better, but it should bypass the immediate apparent problem that seatd refuses to allow the browser in because of a uid mismatch. I might start with Firejail instead, which runs the browser as the same uid, but with a severely restricted view of the filesystem and with system call filters. I am not aware of a way to do this in Wayland, but I have not looked for such a thing. ![]() No, I think mv is asking about using a separate uid just for the browser, so that standard Linux permissions can prevent the browser from reading the regular home directory, signaling other processes, etc. Gcc 12.3.0, profile 17.0 (custom bare multilib), openrc, wayland I'm not sure if this is exactly what you're asking. I assume you mean the fact that X ran as root and thus the need for low privileged users.ĭon 17239 tty1 \_ /bin/bash /home/don/bin/startwĭon 17240 tty1 \_ dbus-run-session - /usr/bin/wayfireĭon 17241 tty1 \_ dbus-daemon -nofork -print-address 4 -sessionĭon 17267 tty1 Xwayland :0 -rootless -terminate -core -listenfd 20 -listenfd 21 -wm 24ĭon 14957 tty1 /opt/palemoon/palemoon -P defaultĭon 30942 tty1 /usr/bin/firefox -no-remote -P dsĮverything runs as my user, the only group I'm in is input as starting from the command line you need to see kbd/mouse. ![]() Last edited by mv on Sat 4:18 pm edited 1 time in total Summary of the discussion: All steps necessary to do this are now contained in sudox (ebuild available for gentoo through the mv overlay). I assume that the question reads more precisely: Is it possible to register a second (low-privileged) user with seatd somehow? (Or can a window in a running compositor with the low privileged user also be opened in another way?) How is the analogous thing done in wayland, in particular with seatd? Xauthority file in the home directory of the low-privileged user (and some variables exported). ![]() In X, it was possible to run a browser with a low-privileged user: All you needed was an appropriate. Posted: Sat 7:48 pm Post subject: wayland: Run a browser with reduced privileges Gentoo Forums Forum Index Desktop Environments Wayland: Run a browser with reduced privileges Gentoo Forums :: View topic - wayland: Run a browser with reduced privileges ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |