On Mon, Sep 10, 2007 at 11:50:12PM +0100, Chris G wrote:
How can I make it possible for another user to run one specific program on my desktop? I don't want to simply remove the X security completely, I'd rather do it by some sort of SUID'ish sort of approach.
The first thing I have tried doesn't work though. I changed the ownership of the program in question to be owned by me and set the SUID bit:-
-rwsr-xr-x 1 chris root 2497525 2007-02-14 18:54 /usr/local/bin/xvile
I thought that if anyone else executes the program they would 'become' chris but it doesn't work. However thinking about it now I suspect that I'd need to add some code to the program to actually change the user as well as setting the permissions as above.
So, is there any other way to get what I want? I just want another user (it's just one user in particular if that makes it easier) to be able to run /usr/local/bin/xvile on my X desktop. It's a home system with me as the only real user so there aren't any serious security implications, there aren't any unfriendly users.
You're going to need to know your magic cookie, there's going to be a bit of work involved! What you'll need to do is something along the lines of (and I suggest using a wrapper script for it):
* First, you're going to need to know where your XAUTHORITY file is - I'd suggest making this work something like adding: echo $XAUTHORITY > ~/.xauth-filename in *your* .xsession or .xinitrc * Add to your ~/.ssh/authorized_keys something along the lines of: command="/usr/local/bin/xvile-chris-wrapper" <ssh public key of other user> * Make the wrapper do: #!/bin/bash
export XAUTHORITY=$(<~/.xauth-filename) export DISPLAY=:0 /usr/local/bin/xvile "$@"
Note: that's only half tested... you can generate the .xauth-filename at any point after login (it's not actually required to be in the .xsession), also the wrapper probably wants a bit more error checking (like, err, checking that ~/.xauth-filename exists, and then checking that the file refered to in $XAUTHORITY exists...)
The command to run for the other user would be: ssh chrisg@$hostname /usr/local/bin/xvile-chris-wrapper
Hope that makes some sense - most of that is off the top of my head, so could be wrong! Also, note that if they can run any apps (which I'm guessing they'll be able to because it's xvile...) then they can in effect steal your screen (if they know what they're doing!).
Cheers,