Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   sudo a graphical app? (http://www.linux-archive.org/fedora-user/562023-sudo-graphical-app.html)

Joel Rees 08-09-2011 07:42 AM

sudo a graphical app?
 
Taking a few clues from these old posts by kellyremo:

<http://lists.fedoraproject.org/pipermail/users/2011-February/392134.html>
<http://lists.fedoraproject.org/pipermail/users/2011-February/392136.html>

and doing this one step at a time, to avoid opening holes in my system

(Being paranoid, I am not using the actual names from my system here.)

user9 is a user that I regularly login on.

user9-boxed is a user I just added, hardened password, but set to
nologin, with home directory /home/boxes/user9-boxed .

user9 is a member of the user9-boxed group.

chmod -R o-rwx,g+rw /home/boxes/user9-boxed

Added a file: /etc/sudoers.d/77_boxers , owned by root, permissions go-rwx

Contents:
----------------------------------------------------
User_Alias USERDOER = user9
Runas_Alias USERBOXED = user9-boxed
Defaults:USERDOER !authenticate, always_set_home, set_logname, !preserve_groups
USERDOER ALL = (USERBOXED) ALL
----------------------------------------------------

I can sudo -u user9-boxed from the command line to my heart's content.
Well, okay, tested lightly. I should probably see what gnupg would do.

I was able to do this from the command line:

xhost local:user9-boxed; sudo -u user9-boxed firefox

and get firefox running as user9-boxed. (Downloads to user9-boxed's
Downloads directory, etc.) So I made a shell script, firebox, chmod-ed
for +x:

----------------------------------------------
#! /bin/sh

xhost local:${1}; sudo -u ${1} firefox $2
----------------------------------------------

and running it as "./firebox user9-boxed http://www.fedora.org" today
brings up a nice picture of a cute little dog wearing a hotdog bun.
(Hmm. Yeah, the weather's hot these days.) Whatever. Firefox is
clearly running.

However, pulling the firefox clicky icon out of the internet
applications menu to the panel and editing the command hasn't gotten
me good results.

sudo -u user9-boxed -- /usr/bin/firefox %u &

gives a "sorry, you must have a tty to run sudo" error in
/var/log/secure . So does using the firebox command. But

xhost local:user9-boxed; sudo -u user9-boxed -- /usr/bin/firefox %u &

as the command gives no error messages in secure, but leaves a bunch
of normal-looking messages in /var/log/Xorg.0.log . (Nothing stands
out to me at any rate.) And no firefox session starting up. I've

ps wwaux | grep user9-boxed

doesn't show me any leftover processes.

For me and my children, I have no problem with using the command line
version. My wife is not going to consider this fun at all, so I would
like to make a clicky icon. Anyone care to offer a clue?

(I suppose I should look at Matt Hansens's comments on using PAM
linked in the 2nd thread above, but that will be for another day.)

Joel Rees
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Andre Speelmans 08-09-2011 09:26 AM

sudo a graphical app?
 
Hi Jeol,

> sudo -u user9-boxed -- /usr/bin/firefox %u &
>
> gives a "sorry, you must have a tty to run sudo" error in
> /var/log/secure . So does using the firebox command.

If I recall correctly, there is a line "requiretty" in the
/etc/sudoers file (or can be added). The default value is true, you
might try changing that to false.


--
Regards,

André
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Joel Rees 08-11-2011 12:50 AM

sudo a graphical app?
 
On Tue, Aug 9, 2011 at 6:26 PM, Andre Speelmans <fedora-list@cosiso.nl> wrote:
> Hi Jeol,
>
>> sudo -u user9-boxed -- /usr/bin/firefox %u &
>>
>> gives a "sorry, you must have a tty to run sudo" error in
>> /var/log/secure . So does using the firebox command.
>
> If I recall correctly, there is a line "requiretty" in the
> /etc/sudoers file (or can be added). The default value is true, you
> might try changing that to false.

b'gosh, it says that's supposed to be off by default, but I added
!requiretty to the defaults line and the clicky works now!

(Now comes the hard part, trying to figure out whether this effort at
sandboxing really does any good.)

Thanks.

Joel Rees
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Joel Rees 08-12-2011 01:27 AM

sudo a graphical app?
 
Well, it's not perfect. libflashplayer.so copied into the unprivileged
user's .mozilla/plugins, but ALSA or PulseAudio gags:

[user9@fed ~]$ bin/localff user9-boxed
non-network local connections being added to access control list
ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect:
Connection refused

ALSA lib pcm_hw.c:1401:(_snd_pcm_hw_open) Invalid value for card
ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect:
Connection refused

ALSA lib pcm_hw.c:1401:(_snd_pcm_hw_open) Invalid value for card
ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect:
Connection refused

...

Video seems to work, though.

Joel Rees

On Thu, Aug 11, 2011 at 9:50 AM, Joel Rees <joel.rees@gmail.com> wrote:
> On Tue, Aug 9, 2011 at 6:26 PM, Andre Speelmans <fedora-list@cosiso.nl> wrote:
>> Hi Jeol,
>>
>>> sudo -u user9-boxed -- /usr/bin/firefox %u &
>>>
>>> gives a "sorry, you must have a tty to run sudo" error in
>>> /var/log/secure . So does using the firebox command.
>>
>> If I recall correctly, there is a line "requiretty" in the
>> /etc/sudoers file (or can be added). The default value is true, you
>> might try changing that to false.
>
> b'gosh, it says that's supposed to be off by default, but I added
> !requiretty to the defaults line and the clicky works now!
>
> (Now comes the hard part, trying to figure out whether this effort at
> sandboxing really does any good.)
>
> Thanks.
>
> Joel Rees
>
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

"T.C. Hollingsworth" 08-12-2011 01:43 AM

sudo a graphical app?
 
On Thu, Aug 11, 2011 at 6:27 PM, Joel Rees <joel.rees@gmail.com> wrote:
> Well, it's not perfect. libflashplayer.so copied into the unprivileged
> user's .mozilla/plugins, but ALSA or PulseAudio gags:
>
> [user9@fed ~]$ bin/localff user9-boxed
> non-network local connections being added to access control list
> ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect:
> Connection refused
>
> ALSA lib pcm_hw.c:1401:(_snd_pcm_hw_open) Invalid value for card
> ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect:
> Connection refused
>
> ALSA lib pcm_hw.c:1401:(_snd_pcm_hw_open) Invalid value for card
> ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect:
> Connection refused

Probably because PulseAudio on your normal user and PulseAudio in your
boxed user are trying to use the same sound device at the same time.
You can either forward your sound from the PulseAudio server running
as your sandboxed user to the server running as your normal user, or
figure out how to punch a hole in your sandbox that lets apps talk to
the normal user's server. Audio in vanilla sudoed applications work
just fine on my system so I presume something about your sandbox
configuration is blocking it.

> ...
>
> Video seems to work, though.
>
> Joel Rees
>
> On Thu, Aug 11, 2011 at 9:50 AM, Joel Rees <joel.rees@gmail.com> wrote:
>> On Tue, Aug 9, 2011 at 6:26 PM, Andre Speelmans <fedora-list@cosiso.nl> wrote:
>>> Hi Jeol,
>>>
>>>> sudo -u user9-boxed -- /usr/bin/firefox %u &
>>>>
>>>> gives a "sorry, you must have a tty to run sudo" error in
>>>> /var/log/secure . So does using the firebox command.
>>>
>>> If I recall correctly, there is a line "requiretty" in the
>>> /etc/sudoers file (or can be added). The default value is true, you
>>> might try changing that to false.
>>
>> b'gosh, it says that's supposed to be off by default, but I added
>> !requiretty to the defaults line and the clicky works now!
>>
>> (Now comes the hard part, trying to figure out whether this effort at
>> sandboxing really does any good.)
>>
>> Thanks.
>>
>> Joel Rees

-T.C.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


All times are GMT. The time now is 09:53 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.