Run program with GUI and sound as a different user
by Zbigniew from LinuxQuestions.org on (#54K2X)
I plan to reinstall my Linux distribution and apply some specific rules to improve security and keep some comfort at the same time. The plan is to create few users for specific aims:
user - main account with administrative privileges and access to all non-root folders;
gamer - ordinary account with no administrative privileges and limited access to few shared folders like 'Music', 'Pictures', 'Videos' etc.;
skype - ordinary account with access limited to dedicated subfolders to download and upload files;
browser - ordinary account with access limited to dedicated subfolders to download and upload files;
I want to work on user account and run browser as browser user with access only to 'Downloads' and 'Uploads' folders. The disadvantage will be that to send file through browser I will be forced to copy it to 'Uploads' folder first. I want to apply similar rules, but with more restrictions, to skype user. My concern is if it will be possible to share sound card and camera between profiles/users?
Bit different situation is with gamer profile. I can switch user and run games on it. Gamer will also have limited access to folders like 'Music', 'Pictures', 'Videos' etc. Perfectly will be to run games on restricted gamer account being logged-in as user.
WHAT I ALREADY DID
I can easily share folders between profiles and create dedicated RAM disk. I also ran Firefox with some limitations (see below).
FOR WHAT I NEED HELP
I tried to run Skype as different user several times in the past, but with no success. Yesterday I spent literally whole day browsing the Internet and LinuxQuestions forum to find how to run Firefox as different user. What I figured out is that I need to use pkexec command.
When I ran
Code:pkexec -u gamer firefoxI've got the following error:
Code:Error: no DISPLAY environment variable specifiedThen I created org.mozilla.firefox.policy in /usr/share/polkit-1/actions folder.
Code:<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
<vendor>Mozilla Foundation</vendor>
<vendor_url>https://mozilla.org/</vendor_url>
<action id="org.freedesktop.policykit.example.pkexec.run-firefox">
<description>Run Firefox Web Browser</description>
<message>Authentication is required to run Firefox (user=$(user), program=$(program), command_line=$(command_line))</message>
<icon_name>audio-x-generic</icon_name>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_self_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/firefox</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>
</policyconfig>and tried again
Code:pkexec -u gamer firefoxto see new error:
Code:No protocol specified
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :0Then I found this thread.
I ran
Code:sudo xhost local:testand got in return
Code:non-network local connections being added to access control listOne more try...
Code:pkexec -u gamer firefoxFirefox started with tabs opened by another user! Success! Almost. :-( There is no sound from browser and in bash I see repeating the following error:
Code:(firefox:27070): dconf-CRITICAL **: unable to create file '/home/gamer/.cache/dconf/user': Permission denied. dconf will not work properly.Could anyone advise how to force application with GUI, like Firefox or Skype, to run through pkexec with sound?
user - main account with administrative privileges and access to all non-root folders;
gamer - ordinary account with no administrative privileges and limited access to few shared folders like 'Music', 'Pictures', 'Videos' etc.;
skype - ordinary account with access limited to dedicated subfolders to download and upload files;
browser - ordinary account with access limited to dedicated subfolders to download and upload files;
I want to work on user account and run browser as browser user with access only to 'Downloads' and 'Uploads' folders. The disadvantage will be that to send file through browser I will be forced to copy it to 'Uploads' folder first. I want to apply similar rules, but with more restrictions, to skype user. My concern is if it will be possible to share sound card and camera between profiles/users?
Bit different situation is with gamer profile. I can switch user and run games on it. Gamer will also have limited access to folders like 'Music', 'Pictures', 'Videos' etc. Perfectly will be to run games on restricted gamer account being logged-in as user.
WHAT I ALREADY DID
I can easily share folders between profiles and create dedicated RAM disk. I also ran Firefox with some limitations (see below).
FOR WHAT I NEED HELP
I tried to run Skype as different user several times in the past, but with no success. Yesterday I spent literally whole day browsing the Internet and LinuxQuestions forum to find how to run Firefox as different user. What I figured out is that I need to use pkexec command.
When I ran
Code:pkexec -u gamer firefoxI've got the following error:
Code:Error: no DISPLAY environment variable specifiedThen I created org.mozilla.firefox.policy in /usr/share/polkit-1/actions folder.
Code:<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
<vendor>Mozilla Foundation</vendor>
<vendor_url>https://mozilla.org/</vendor_url>
<action id="org.freedesktop.policykit.example.pkexec.run-firefox">
<description>Run Firefox Web Browser</description>
<message>Authentication is required to run Firefox (user=$(user), program=$(program), command_line=$(command_line))</message>
<icon_name>audio-x-generic</icon_name>
<defaults>
<allow_any>no</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>auth_self_keep</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/firefox</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">TRUE</annotate>
</action>
</policyconfig>and tried again
Code:pkexec -u gamer firefoxto see new error:
Code:No protocol specified
Failed to connect to Mir: Failed to connect to server socket: No such file or directory
Unable to init server: Could not connect: Connection refused
Error: cannot open display: :0Then I found this thread.
I ran
Code:sudo xhost local:testand got in return
Code:non-network local connections being added to access control listOne more try...
Code:pkexec -u gamer firefoxFirefox started with tabs opened by another user! Success! Almost. :-( There is no sound from browser and in bash I see repeating the following error:
Code:(firefox:27070): dconf-CRITICAL **: unable to create file '/home/gamer/.cache/dconf/user': Permission denied. dconf will not work properly.Could anyone advise how to force application with GUI, like Firefox or Skype, to run through pkexec with sound?