Re: gksudo -u user2 /usr/bin/links2 -g

To: debian-user@lists.debian.org
Subject: Re: gksudo -u user2 /usr/bin/links2 -g
From: Bob Proulx <bob@proulx.com>
Date: Fri, 4 Oct 2013 16:58:34 -0600
Message-id: <[🔎] 20131004225834.GA22550@hysteria.proulx.com>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 20131004235003.7e6666ec@eunet.rs>
References: <[🔎] 20131004205919.68ba4114@eunet.rs> <[🔎] 20131004203810.GC27645@hysteria.proulx.com> <[🔎] 20131004235003.7e6666ec@eunet.rs>

Marko Randjelovic wrote:
> > > gksudo -u user2 /usr/bin/links2 -g # does not work
> > 
> > Needs a terminal.  How can it work without one?  It can't.  Right at
> > this point is where thing went wrong for you.  links2 reads stdin and
> > writes stdout and expects TERM to tell it what type of terminal escape
> > sequences to use.  But you have asked gksudo to launch it into the
> > background.  That can't work.  You will end up with both your shell
> > and the links2 program reading from your keyboard at the same time.
> 
> Contrary to sudo behavior, gksudo understood -g option as itself option
> and not, as I expected, as option for links2 to enable graphics mode.

links2 has a -g option?  I did not know that.  I just assumed that the
-g was for gksudo -g,--disable-grab which disabled locking of the
keyboard, mouse, and focus by the program asking for the password.
Which is why in my example I moved it earlier in the command.

But with your comment I am looking at links2 and now see that links2
does have a -g option to run in graphics mode.  Sorry I didn't realize
that previously.  I thought links2 was like lynx, elinks, and w3m.
Meaning a pure text mode browser.

> This works:
> 
> gksudo -u user2 "/usr/bin/links2 -g"

Yay!

With my misunderstanding of the intent cleared up the following works too:

  gksudo -u user2 -- links2 -g

The "--" causes programs to stop parsing options.  Therefore gksudo
won't parse the -g as an option.  It will stop at the "--" and then
the following will be the command verbatim.

Mostly I am chafing at having the full path "/usr/bin/links2" in there
hard coded.  Hard coded paths like that are almost always bad.  Try it
without.  Even with the quoted form I think that is better.

  gksudo -u user2 "links2 -g"

> > The above all suffer from the problem of running the text browser as
> > root.  Why are you trying to do this?  I don't understand any benefit
> > from doing so.  And I see some problems with doing so.  Please say a
> > few words about what led you to doing it that way.  Since it is a web
> > browser it doesn't benefit you by running it as root.
> 
> I am not running it as root, user2 != root.

Darn on me.  I was pretty sure I had a reason for the original problem
and wanted to get a reply out and didn't spend the time to really read
the rest of the message in detail.  My bad.  You had said user2 which
obviously isn't root and it was my mistake that I didn't grok that
plain-to-see point.  Sorry.

> There are many advantages of running every task with separate user
> account. In general, you have better control, because you can
> differentiate various tasks based on running user.

Sure.  My comment had been purely about running commands as root.  But
you were not running as root.  My mistake.  Sorry.

> For example, you can tell iptables to allow port 80 from
> web browser and not from other apps:
> 
> iptables -P OUTPUT DROP
> iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner web -j ACCEPT

Sure.  I don't prefer that type of restriction.  For me it isn't
practical.  For example I have an endless number of things that I want
to access the web.  I would be playing wack-a-mole with all of them
for a long time.  Such as apt's sources.list file.  Such as updating
spamassassin rules.  Such as many things.  But if that works for you
then that is great.  I am not trying to talk you out of it.

> Another example, if an attacker gets your web user account, he won't be
> able to read your emails.

If an attacker gets your web mail user account then they will probably
access that web account from a different system.

> So you will force him to get root privileges :) .

??  (He certainly doesn't need root.  He just needs to use a different
system.)  I read that three times and don't get the joke.  But that is
okay!  I don't need to understand it! :-)

> In fact, your question sounds like you asked: "Why we have all those
> user accounts in /etc/passwd since only root and normal user are
> necessary" :) 

Nope.  Nothing of that sort at all.  It was simply my misunderstanding
of the "-u user2" part which was plainly written and certainly isn't
root.  Just too much in a hurry sometimes.

Bob

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- gksudo -u user2 /usr/bin/links2 -g
  - From: Marko Randjelovic <markoran@eunet.rs>
- Re: gksudo -u user2 /usr/bin/links2 -g
  - From: Bob Proulx <bob@proulx.com>
- Re: gksudo -u user2 /usr/bin/links2 -g
  - From: Marko Randjelovic <markoran@eunet.rs>

Prev by Date: Re: Building computer
Next by Date: Re: Re (2): Multiplicity of accounts.
Previous by thread: Re: gksudo -u user2 /usr/bin/links2 -g
Next by thread: ddrescue and windowsxp
Index(es):
- Date
- Thread