concurrent users (was: how to run kdesu without asking password?)
Roberto Ragusa
mail at robertoragusa.it
Mon Feb 14 08:33:37 UTC 2011
On 02/12/2011 02:29 PM, Tim wrote:
> On Sat, 2011-02-12 at 01:19 -0800, erikmccaskey64 wrote:
>
>> I just need it for "bigger security". i don't only want to run
>> transmission-gtk with another user, i want to run e.g.: Google Chrome
>> too. [run application with a user that has low permissions results in
>> bigger sec.]
>
> I'm curious to know in what way have you made this other user more
> restricted.
That is simple. If a program runs as a different user, it simply
does not have access to your main user data (e.g. firefox bookmarks
or cookies, saved email, and all your documents).
I personally use this method to separate high importance stuff
(dedicated user for online banking) or throw-away stuff
(another dedicated user).
It is also a very good way to have more sets of settings for a single
applications: you have your independent personal firefox and pidgin and
your "work" firefox and pidgin. (yes, I know about firefox profiles,
but this way is better)
I used to run things with kdesu but got into problems (environment handling?).
I take the opportunity to share how I currently do that.
I have this script, called xroot:
echo "echo \"`xauth nextract - :${DISPLAY#*:}`\" | xauth nmerge -"
So I open a terminal and run xroot, the output is something like (xxx as placeholder):
echo "0100 0008 7xxx4 0001 30 0012 4xxx1 0010 fxxxc" | xauth nmerge -
I copy this text into the clipboard.
Then I run:
su -l secondaryuser
and then paste the text.
Now, you can run applications (xclock if you want to check that X is ok).
This is more efficient than the "ssh localhost" way and more secure than
the "xhost +" way.
Only issues are pulseaudio and all the "session-aware" things which are so
fashionable nowadays.
--
Roberto Ragusa mail at robertoragusa.it
More information about the users
mailing list