this post was submitted on 13 Jan 2024
23 points (96.0% liked)

Linux

48965 readers
1467 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I use https://github.com/slingamn/namespaced-openvpn to have a isolated namespace and VPN connection

On X, these two steps would allow me to run a GUI program in the protected namespace. So I could have .e.g an IDE configuration for my main user/personal projects, and another entirely different instance of the same IDE for work because they use different users

sudo xhost '+si:localuser:user'
sudo ip netns exec protected sudo -u user -i

On Wayland, although the protected shell is created fine, GUI programs don't start. E.g fgor Dolphin

error: XDG_RUNTIME_DIR is invalid or not set in the environment.
Failed to create wl_display (No such file or directory)

I've tried to preserve the env without success:


sudo -E ip netns exec protected sudo -u user -i

It seems that I access to the wayland socket is a must for this to work

This discussion has a nuke option - giving 777 access to the dir where the wayland socket is, and another less permissive approach adding the users to a group and giving access to a new location where the wayland socket is created

https://stackoverflow.com/questions/41736528/linux-wayland-display-multiple-user

Is this second approach secure? If not, which other steps could I take to achieve what I did in X?

you are viewing a single comment's thread
view the rest of the comments
[–] shadowintheday2 2 points 1 year ago* (last edited 1 year ago)

Another thing to solve: XWayland apps as a different user

Giving access to the wayland socket makes other users able to use wayland; however programs that rely on XWayland to work don't seem to get it:


Start Failed
Failed to initialize graphics environment

java.awt.AWTError: Can't connect to X11 window server using ':0' as the value of the DISPLAY variable.
        at java.desktop/sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)

Wine


0120:fixme:kernelbase:AppPolicyGetThreadInitializationType FFFFFFFA, 0ECAFF08
0128:err:winediag:nodrv_CreateWindow Application tried to create a window, but no driver could be loaded.
0128:err:winediag:nodrv_CreateWindow L"The explorer process failed to start."
0128:err:systray:initialize_systray Could not create tray window
0114:err:winediag:nodrv_CreateWindow Application tried to create a window, but no driver could be loaded.
0114:err:winediag:nodrv_CreateWindow L"Make sure that your X server is running and that $DISPLAY is set correctly."
0114:fixme:kernelbase:AppPolicyGetProcessTerminationMethod FFFFFFFA, 0DE4FB40
env | grep -i display
WAYLAND_DISPLAY=wayland-0
DISPLAY=:0