Re: sudo and firefox (was: Off-topic: Gmail Grrrr.)
Hi.
On Wed, 25 Dec 2013 12:08:01 +0900
Joel Rees <joel.rees@gmail.com> wrote:
> On Tue, Dec 24, 2013 at 9:42 PM, Reco <recoverym4n@gmail.com> wrote:
> > Hi.
> >
> > On Tue, 24 Dec 2013 13:29:28 +0100
> > Ralf Mardorf <ralf.mardorf@alice-dsl.net> wrote:
> >
> >> This would lead to "Error: cannot open display: :0.0".
> >> Sure, $ xhost +; sudo -u [...] does the trick,
> >
> > No, if you do it smart way, such as (in .xsessionrc):
> >
> > xauth extract - $DISPLAY | sudo -u user1 -- sh -c \
> > "cat -> /home/user1/.Xauthority"
> > xauth extract - $DISPLAY | sudo -u user2 -- sh -c \
> > "cat -> /home/user1/.Xauthority"
> >
> > And configure sudo to keep $DISPLAY.
> > [...]
>
> I'm using "xhost" to do something similar, maybe the same thing? I
> described it a couple of years ago:
>
> http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html
>
> I'd be interested in comments.
Result is definitely the same, although I'd use
xhost +si:localuser:${1}
instead of
xhost local:${1}
Not there is much difference about it, given that Debian (or Fedora, or
any major distribution for that matter) does not ship XSECURITY
extension for a long time.
And I'd use
sudo -H -u ${1} /usr/bin/firefox $2
instead of
sudo -H -u ${1} firefox $2
because:
a) Without -H sudo can keep $HOME, which will force firefox to search
it's profile in the different user's home (kinda beats the purpose of
sandbox, isn't it?).
b) That sneaky sandbox user can override firefox with something
like /home/user9-boxed/bin/firefox, which is bad.
What I'm curious about, is that you did not have to permit sudo to keep
$DISPLAY environment variable. Is it something that Fedora allows by
default? Because Debian surely does not (env_reset by default).
Reco
Reply to: