How can I make it possible for another user to run one specific program on my desktop? I don't want to simply remove the X security completely, I'd rather do it by some sort of SUID'ish sort of approach.
The first thing I have tried doesn't work though. I changed the ownership of the program in question to be owned by me and set the SUID bit:-
-rwsr-xr-x 1 chris root 2497525 2007-02-14 18:54 /usr/local/bin/xvile
I thought that if anyone else executes the program they would 'become' chris but it doesn't work. However thinking about it now I suspect that I'd need to add some code to the program to actually change the user as well as setting the permissions as above.
So, is there any other way to get what I want? I just want another user (it's just one user in particular if that makes it easier) to be able to run /usr/local/bin/xvile on my X desktop. It's a home system with me as the only real user so there aren't any serious security implications, there aren't any unfriendly users.
Chris G cl@isbd.net wrote:
How can I make it possible for another user to run one specific program on my desktop?
sudo?
[...] I changed the ownership of the program in question to be owned by me and set the SUID bit:-
Odd. As long as xvile isn't a script, I'd've expected that to work. However, the Xauth or similar settings may still need attention.
Hope that helps,
On Tue, Sep 11, 2007 at 08:34:50AM +0100, MJ Ray wrote:
Chris G cl@isbd.net wrote:
How can I make it possible for another user to run one specific program on my desktop?
sudo?
That's another possibility I guess, I don't use sudo routinely but I'll go take a look and see if it will do what I want.
[...] I changed the ownership of the program in question to be owned by me and set the SUID bit:-
Odd. As long as xvile isn't a script, I'd've expected that to work. However, the Xauth or similar settings may still need attention.
So I'm not being entirely stupid! :-) I'll do another check of my settings etc. and look at Xauth. Thank you.
On Mon, Sep 10, 2007 at 11:50:12PM +0100, Chris G wrote:
How can I make it possible for another user to run one specific program on my desktop? I don't want to simply remove the X security completely, I'd rather do it by some sort of SUID'ish sort of approach.
The first thing I have tried doesn't work though. I changed the ownership of the program in question to be owned by me and set the SUID bit:-
-rwsr-xr-x 1 chris root 2497525 2007-02-14 18:54 /usr/local/bin/xvileI thought that if anyone else executes the program they would 'become' chris but it doesn't work. However thinking about it now I suspect that I'd need to add some code to the program to actually change the user as well as setting the permissions as above.
So, is there any other way to get what I want? I just want another user (it's just one user in particular if that makes it easier) to be able to run /usr/local/bin/xvile on my X desktop. It's a home system with me as the only real user so there aren't any serious security implications, there aren't any unfriendly users.
You're going to need to know your magic cookie, there's going to be a bit of work involved! What you'll need to do is something along the lines of (and I suggest using a wrapper script for it):
* First, you're going to need to know where your XAUTHORITY file is - I'd suggest making this work something like adding: echo $XAUTHORITY > ~/.xauth-filename in *your* .xsession or .xinitrc * Add to your ~/.ssh/authorized_keys something along the lines of: command="/usr/local/bin/xvile-chris-wrapper" <ssh public key of other user> * Make the wrapper do: #!/bin/bash
export XAUTHORITY=$(<~/.xauth-filename) export DISPLAY=:0 /usr/local/bin/xvile "$@"
Note: that's only half tested... you can generate the .xauth-filename at any point after login (it's not actually required to be in the .xsession), also the wrapper probably wants a bit more error checking (like, err, checking that ~/.xauth-filename exists, and then checking that the file refered to in $XAUTHORITY exists...)
The command to run for the other user would be: ssh chrisg@$hostname /usr/local/bin/xvile-chris-wrapper
Hope that makes some sense - most of that is off the top of my head, so could be wrong! Also, note that if they can run any apps (which I'm guessing they'll be able to because it's xvile...) then they can in effect steal your screen (if they know what they're doing!).
Cheers,
On Tue, Sep 11, 2007 at 09:58:37AM +0100, Brett Parker wrote: [Long explanation snipped - thank you]
The command to run for the other user would be: ssh chrisg@$hostname /usr/local/bin/xvile-chris-wrapper
Hope that makes some sense - most of that is off the top of my head, so could be wrong! Also, note that if they can run any apps (which I'm guessing they'll be able to because it's xvile...) then they can in effect steal your screen (if they know what they're doing!).
OK, thanks, if I can't find an easier way I'll chew through this lot.
I have actually thought of another way of getting what I want by using the Mozex extension in Firefox, that may actually be easier (especially as I have it set up and doing something a bit similar to what I want already).
-
Brett Parker -
Chris G -
MJ Ray