Abrowser as another user

19 risposte [Ultimo contenuto]
Sabrinakitty
Online
Iscritto: 06/17/2020

For security reasons I want to run Abrowser as another user. I've created 'webbrowser' user, every time I launch Abrowser I need it to run as 'webbrowser' user. I understand I need to do something with sudo.
Can you help me, please?

Magic Banana

I am a member!

Online
Iscritto: 07/24/2010

The simple way is to execute:
$ pkexec --user webbrowser env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY abrowser

I was about to write that you can make a launcher with the above command line, e.g., using the "New Item" button of "Main Menu", in MATE's "Control Center". But that does not work.

The complicated way works:

  1. Create a file /usr/share/polkit-1/actions/org.trisquel.abrowser.policy (here using Pluma):
    $ sudo pluma /usr/share/polkit-1/actions/org.trisquel.abrowser.policy
  2. Copy/paste that (I modified the example in 'man pkexec'):
    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE policyconfig PUBLIC
    "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
    "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
    <policyconfig>
    <action id="org.trisquel.abrowser">
    <description>Browse the World Wide Web</description>
    <message>Authentication is required to run Abrowser (user=$(user), program=$(program), command_line=$(command_line))</message>
    <defaults>
    <allow_any>no</allow_any>
    <allow_inactive>no</allow_inactive>
    <allow_active>auth_self_keep</allow_active>
    </defaults>
    <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/abrowser</annotate>
    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
    </action>
    </policyconfig>
  3. Save;
  4. Create a launcher (for instance as explained above) with this command:
    pkexec --user webbrowser abrowser

Please confirm whether that works.

Sabrinakitty
Online
Iscritto: 06/17/2020

Hello
Thank you for your answer!
How to highlight code on forums with yellow background?

The first code (pkexec --user webbrowser env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY abrowser) returns error:
No protocol specified
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :0

After I created /usr/share/polkit-1/actions/org.trisquel.abrowser.policy, and launcher, the launcher asks for a password then does nothing.
If I execute (pkexec --user webbrowser abrowser) in terminal, it asks for a password, then the result is
No protocol specified
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :0

Magic Banana

I am a member!

Online
Iscritto: 07/24/2010

How to highlight code on forums with yellow background?

With the code HTML tag. Here are all available tags: https://trisquel.info/en/filter/tips

Error: cannot open display: :0

Strange. I would try to execute:
$ pkexec --user webbrowser env DISPLAY=:1 XAUTHORITY=$XAUTHORITY abrowser

On my Trisquel 8 system, where $DISPLAY is :0, as on yours, what I wrote in my previous post works (although I tested with the user who is logged in, the only regular user on my system) and setting DISPLAY=:1, as in the command right above, gives the error you report. Do you use Trisquel 8 or 9?

Sabrinakitty
Online
Iscritto: 06/17/2020

I'm using Trisquel 8
Terminal based web browser works as another user
$ pkexec --user webbrowser lynx
Ranger is also working
$ pkexec --user webbrowser ranger
But GUI based web browser is not working
$ pkexec --user webbrowser env DISPLAY=:1 XAUTHORITY=$XAUTHORITY abrowser
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :1

If I try with my user that is currently logged in
$ pkexec --user sabrina abrowser
It works.

Magic Banana

I am a member!

Online
Iscritto: 07/24/2010

Does it make a difference if, in /usr/share/polkit-1/actions/org.trisquel.abrowser.policy, you set "allow_any" and "allow_inactive" to "auth_self_keep", rather than "no"?

Sabrinakitty
Online
Iscritto: 06/17/2020

With these changes

<defaults>
<allow_any>auth_self_keep</allow_any>
<allow_inactive>auth_self_keep</allow_inactive>
<allow_active>auth_self_keep</allow_active>
</defaults>

The result is the same
No protocol specified
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :0

Magic Banana

I am a member!

Online
Iscritto: 07/24/2010

Since you are on Trisquel 8, you can execute:
$ gksu -u webbrowser abrowser

Does it work? Notie that, as far as I understand, 'gksu' is now considered insecure and 'pkexec', in Polkit is supposed to replace it. What I suggested you is essentially an adaptation of https://askubuntu.com/questions/287845/how-to-configure-pkexec/332847#332847 and I do not understand why that does not work.

In your initial post, you wrote "I understand I need to do something with sudo". sudo may indeed be another solution. You can execute 'sudo -Hu webbrowser abrowser' in a terminal. However, I believe you do not want to have to open a terminal to launch your Web browser. For a graphical way to input the password:
$ SUDO_ASKPASS=/usr/bin/ssh-askpass sudo -AHu webbrowser abrowser

In a launcher, the command would be:
sh -c 'SUDO_ASKPASS=/usr/bin/ssh-askpass sudo -AHu webbrowser abrowser'

Sabrinakitty
Online
Iscritto: 06/17/2020

Both gksu and sudo solutions are working! Thank you very much!

chaosmonk

I am a member!

I am a translator!

Offline
Iscritto: 07/07/2017

> Failed to connect to Mir: Failed to connect to server socket: No such file or directory

Magic Banana, do the references to "Mir" seem at all suspect to you? I thought Mir was only supported by Unity, and while I don't have a Trisquel 8 system handy I am pretty sure that it uses X by default. If Sabrinakitty is indeed using X as their display server, then it seems no surprise that an attempt to connect to Mir would fail. I'm just not sure *why* there would be an attempt to connect to Mir instead of X.

Magic Banana

I am a member!

Online
Iscritto: 07/24/2010

It is weird. Nevertheless, "On my Trisquel 8 system, (...) setting DISPLAY=:1 (...) gives the error [Sabrinakitty] report[s]": https://trisquel.info/forum/abrowser-another-user#comment-150088

That is why I thought she was maybe using Trisquel 9 where, for some reason, the proper display would have become :1, rather than :0. But she replied that she uses Trisquel 8, that setting DISPLAY=:1 makes no difference and that executing abrowser through pkexec but with the currently logged user (what I had tested) works. In the end, I believe there is nothing unusual with her system: you would probably face the same error trying to use pkexec to execute a graphical program as another user (who is not not root). The error being the same when DISPLAY is incorrectly set, it looks like it should be different.

I spent time reading documentation and searching the Web, but I could not understand how to make pkexec work in Sabrinakitty's use case. Most people only use pkexec to run programs as root. I ended up suggesting either gksu or sudo -HA. However, as far as I understand, pkexec is the recommended solution nowadays. gksu will certainly not even be in Trisquel 9's repository, because it is not in Ubuntu 18.04's, for security reasons. sudo -HA looks safe. But SUDO_ASKPASS=/usr/bin/ssh-askpass provides a rather ugly window. 'zenity --password' would be a barely better replacement (a configurable title with the option --title, rather than "OpenSSH").

If you want to spend time understanding how to make pkexec work in Sabrinakitty's use case, I would be interested in what you will discover...

chaosmonk

I am a member!

I am a translator!

Offline
Iscritto: 07/07/2017

> Nevertheless, "On my Trisquel 8 system, (...) setting DISPLAY=:1 (...) gives the error [Sabrinakitty] report[s]"

So to clarify, using your instructions works on your Trisuel 8 system when you use "DISPLAY=:0", but gets the "Mir" error with "DISPLAY=:1"?

> I ended up suggesting either gksu or sudo -HA. However, as far as I understand, pkexec is the recommended solution nowadays. gksu will certainly not even be in Trisquel 9's repository, because it is not in Ubuntu 18.04's, for security reasons.

Yes, gksu is gone. I had to modify Add/Remove Applications to use pkexec instead so that it would work on Trisquel 9.

Whonix's sandbox-app-launcher is a WIP, but appears to use sudo at this time. https://github.com/madaidan/sandbox-app-launcher/blob/67dcc940c80a77f41c703b9c8164329de7e06cf0/usr/bin/sandbox-app-launcher#L178

boba
Offline
Iscritto: 08/28/2017

I just noticed that I need to sudo in a Terminal in order to launch Synaptic from Xfce, while in Mate I get a prompt to enter priviledged mode without having to use a terminal.

Is that the expected behavior? Maybe I should have installed Xfce4-pkexec-something in order to get the prompt? I am using Trisquel 8 at the moment.

Magic Banana

I am a member!

Online
Iscritto: 07/24/2010

That is strange. Nowadays, the launcher should be the same whatever the desktop environment. In this case, it executes the command synaptic-pkexec, a one-line shell script:
#!/bin/sh
pkexec "/usr/sbin/synaptic" "$@"

What happens if you execute synaptic-pkexec in a terminal. Any error message?

boba
Offline
Iscritto: 08/28/2017

In Xfce, synaptic-pkexec in a terminal gives:

Password:
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

The desktop icon does nothing, expectedly.

In Mate, synaptic-pkexec in a terminal triggers the password prompt which grants me admin privileges, same as clicking on the desktop icon.

NB: executing (Alt+F2) synaptic launches synaptic without privileges, in both environments.

EDIT: I just noticed that I have mate-polkit installed. Nothing similar beginning with xfce4 seems to be available.

EDIT2: someone solved the problem by adding mate-polkit to Application Autostart in Xfce:
https://www.mail-archive.com/debian-bugs-dist[@]lists.debian.org/msg1751529.html

Magic Banana

I am a member!

Online
Iscritto: 07/24/2010

So to clarify, using your instructions works on your Trisuel 8 system when you use "DISPLAY=:0"

This works (opens a new Abrowser window, even if one is already opened):
$ pkexec --user banana env DISPLAY=:0 XAUTHORITY=/home/banana/.Xauthority abrowser

This useless command (banana is currently logged in graphically) works as well for Sabrinakitty. But it does not work for her (I have not tested) when a different user (who is not root) is in argument of --user.

but gets the "Mir" error with "DISPLAY=:1"?

Yes (the output appears after I enter my password and press Enter):
$ pkexec --user banana env DISPLAY=:1 XAUTHORITY=/home/banana/.Xauthority abrowser
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :1

Sorry for not having been clear in the first place.

Magic Banana

I am a member!

Online
Iscritto: 07/24/2010

What happens if I (or you, probably) try to execute abrowser as root may be of interest to understand the issue. Specifying the .Xauthority of the user who is currently logged in graphically:
$ pkexec env DISPLAY=:0 XAUTHORITY=/home/banana/.Xauthority abrowser
Running Abrowser as root in a regular user's session is not supported. ($XAUTHORITY is /home/banana/.Xauthority which is owned by banana.)

That error message is visibly output by Abrowser: pkexec works. In fact, using sudo, I get the same error:
$ sudo -H abrowser
Running Abrowser as root in a regular user's session is not supported. ($XAUTHORITY is /home/banana/.Xauthority which is owned by banana.)

Defining XAUTHORITY as /root/.Xauthority, which does not actually exist on my system:
$ pkexec env DISPLAY=:0 XAUTHORITY=/root/.Xauthority abrowser
No protocol specified
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :0

Again that message. This time using DISPLAY=:0. As a consequence, the problem Sabrinakitty faced using pkexec may have nothing to do with DISPLAY (as I thought) and everything to do with XAUTHORITY. Or not: I am a bit lost.

chaosmonk

I am a member!

I am a translator!

Offline
Iscritto: 07/07/2017

One project I'm keeping an eye on in Whonix's [sandbox-app-launcher][1], which will run each application as a different user and provide a mechanism for configuring each such user's permissions for

* Network access
* Webcam access
* Microphone access
* Shared storage access (read-only or read-write)
* Dynamic native code execution

effectively bringing to GNU the kind of sandboxing and and per-application privacy settings currently available for Android and iOS.

[1]: https://github.com/madaidan/sandbox-app-launcher

Sabrinakitty
Online
Iscritto: 06/17/2020

Thank you! I will read about Whonix.

boba
Offline
Iscritto: 08/28/2017

That sounds great.

I was wondering whether/how this would interfere with AppArmor, and found this:

http://forums.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.tor2web.to/t/system-wide-sandboxing-framework/9008