http://marc.info/?t=141848416000001&r=1&w=2
and
http://marc.info/?t=141616714600001&r=1&w=1
for more information]
[Note: It's working in Fedora 15 after all. Did something get fixed in the last updates? 20120107]
Transferring my posts in Fedora users to my blog.
(Not yet sure how well this works, though.)
Taking a few clues from these old posts by kellyremo:Then Andre Speelmans clued me in about requiretty, so the defaults lines will look like
<http://lists.fedoraproject.org/pipermail/users/2011-February/392134.html>
<http://lists.fedoraproject.org/pipermail/users/2011-February/392136.html>
and doing this one step at a time, to avoid opening holes in my system (Being paranoid, I am not using the actual names from my system here.)
user9 is a user that I regularly login on.
user9-boxed is a user I just added, hardened password, but set to nologin, with home directory /home/boxes/user9-boxed .
user9 is a member of the user9-boxed group.
chmod -R o-rwx,g+rw /home/boxes/user9-boxed
Added a file: /etc/sudoers.d/77_boxers , owned by root, permissions go-rwx
Contents:
----------------------------------------------------
User_Alias USERDOER = user9
Runas_Alias USERBOXED = user9-boxed
Defaults:USERDOER !authenticate, always_set_home, set_logname, !preserve_groups
USERDOER ALL = (USERBOXED) ALL
----------------------------------------------------
I can sudo -u user9-boxed from the command line to my heart's content. Well, okay, tested lightly. I should probably see what gnupg would do.
I was able to do this from the command line:
xhost local:user9-boxed; sudo -u user9-boxed firefox
and get firefox running as user9-boxed. (Downloads to user9-boxed's Downloads directory, etc.) So I made a shell script, firebox, chmod-ed for +x:
----------------------------------------------
#! /bin/sh
xhost local:${1}; sudo -u ${1} firefox $2
----------------------------------------------
and running it as "./firebox user9-boxed http://www.fedora.org" today brings up a nice picture of a cute little dog wearing a hotdog bun. (Hmm. Yeah, the weather's hot these days.) Whatever. Firefox is clearly running.
However, pulling the firefox clicky icon out of the internet applications menu to the panel and editing the command hasn't gotten me good results.
sudo -u user9-boxed -- /usr/bin/firefox %u &
gives a "sorry, you must have a tty to run sudo" error in /var/log/secure . So does using the firebox command. But
xhost local:user9-boxed; sudo -u user9-boxed -- /usr/bin/firefox %u &
as the command gives no error messages in secure, but leaves a bunch of normal-looking messages in /var/log/Xorg.0.log . (Nothing stands out to me at any rate.) And no firefox session starting up.
ps wwaux | grep user9-boxed
doesn't show me any leftover processes.
For me and my children, I have no problem with using the command line version. My wife is not going to consider this fun at all, so I would like to make a clicky icon. Anyone care to offer a clue?
(I suppose I should look at Matt Hansens's comments on using PAM linked in the 2nd thread above, but that will be for another day.)
!authenticate, always_set_home, set_logname, !preserve_groups, !requirettyand that seems to fix the problem with setting up a clickable icon in the panels to bring firefox up in a sandbox.
Like I say, I'm not sure this is as meaningful as it might seem. Not sure how much of the user environment leaks into the sub-user environment. Also, it would need a lot of work to be used in a corporate environment. (I'd be happy to do that for pay.)
[note (20120107)
The launcher command line for the icon in the panels looks like this:
./firebox user9-boxed %u ;according to what I've described above.
I'm not sure it's quite right, but it seems to work. Oh, and I don't really put firebox right in my home directory, but I'll leave that as an exercise for the reader.
]
Posts
No comments:
Post a Comment
Courtesy is courteous.