0

For several reasons I want to run my browser as a different system user on my fedora box.

For now I created a separate system user named sandbox and created a custom ~/.local/share/applications/chrome-sandboxed.desktop file for Google Chrome with my user:

#!/usr/bin/env xdg-open
[Desktop Entry]
Version=1.0
Terminal=false
StartupNotify=true
Type=Application
Categories=Network;WebBrowser;
MimeType=x-scheme-handler/unknown;x-scheme-handler/about;text/html;text/xml;application/xhtml_xml;image/webp;x-scheme-handler/http;x-scheme-handler/https;x-scheme-handler/ftp;
Name=Google Chrome (sandboxed)
Exec=sh -c "xhost +SI:localuser:sandbox && pkexec --user sandbox env DISPLAY=$DISPLAY /usr/bin/google-chrome-stable %U && true"
Icon=google-chrome
Actions=new-window;new-private-window;

[Desktop Action new-window]
Name=New Window
Exec=sh -c "xhost +SI:localuser:sandbox && pkexec --user sandbox env DISPLAY=$DISPLAY /usr/bin/google-chrome-stable && true"

[Desktop Action new-private-window]
Name=New Incognito Window
Exec=sh -c "xhost +SI:localuser:sandbox && pkexec --user sandbox env DISPLAY=$DISPLAY /usr/bin/google-chrome-stable --incognito && true"

After some struggle and research I found that I need to allow the sandbox user to open windows in my session with xhost +SI:localuser:sandbox and that the pkexec command had to be enclosed in a separate sh -c "" command that ends with && true since it doesn't work in Gnome otherwise. I even got this set as my default browser by running xdg-settings set default-web-browser chrome-sandboxed.desktop, since it didn't appear in the GUI tool for choosing default applications before.

Now the only thing left that's bothering me is that I have to enter my password every time I click on a link in another application (i.e. Thunderbird) to authenticate against pkexec and run the program as another user (even though it will then realize there is already a process running and open the link in a new tab of the existing window - but I guess that logic is implemented in the application itself and can therefore only engage after the authentication has happened and the process is started).

Since I don't care about my user being able to access the sandbox user's stuff (it's the other way around that I want to prevent), I'd like to do this passwordless. I'm not sure about how to achieve this, though.

I read that it can be done by creating a policykit ACL. But since I don't want to generally disable the password prompt and I have no clue about the custom "application's" name, which seems to be relevant for fine tuned configuration (if I understood the syntax in the answer correctly) I don't know how to disable the password prompt just for this application (and maybe further ones in the future).

Any help would be greatly appreciated.

PS: Sorry, the tag sudo is probably confusing but I'd need 300 reputation (which I do not have) to create the new tag pkexec.

EDIT

Got it working with the hints from user1686's answer.

First, (if there isn't already one) create a custom policykit policy file to configure an action id for the desired program - in my case /usr/share/polkit-1/actions/com.google.chrome.sandboxed.policy (note that in this default policy auth_admin is still required):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
                       "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
    <vendor>Google</vendor>
    <vendor_url>https://www.google.com</vendor_url>
    <icon_name>google-chrome</icon_name>
    <action id="com.google.chrome.sandboxed">
        <description>Run Google Chrome as another user</description>
        <message>Authentication is required to run Google Chrome as another user</message>
        <defaults>
            <allow_any>auth_admin</allow_any>
            <allow_inactive>auth_admin</allow_inactive>
            <allow_active>auth_admin</allow_active>
        </defaults>
        <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/google-chrome-stable</annotate>
        <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
    </action>
</policyconfig>

Then, create a custom rule to allow passwordless execution of the action with the configured action id (com.google.chrome.sandboxed here) for your user only - in my case /var/lib/polkit-1/localauthority/50-local.d/10-passwordless_chrome-sandboxed_from_myuser.pkla:

[No pkexec password prompt for myuser when running chrome-sandboxed]
Identity=unix-user:myuser
Action=com.google.chrome.sandboxed
ResultActive=yes

Afterwards, remove all occurrences of env DISPLAY=$DISPLAY from your .desktop file, otherwise pkexec tries to execute env as the other user instead /usr/bin/google-chrome-stable. As user1686 pointed out, the required environment variables are automatically inherited to the child process, so it's no longer needed anyway.

You might need to systemctl reload polkit.service or systemctl restart polkit.service, but I'm not sure about that since I thought that was the reason why it wasn't working for me at first - although I just forgot to change my .desktop file.

It works just as expected now.

David
  • 155
  • 10

1 Answers1

1

Here's how GParted handles it:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
                       "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
    <vendor>The GParted Project</vendor>
    <vendor_url>https://gparted.org</vendor_url>
    <icon_name>gparted</icon_name>
    <action id="org.gnome.gparted">
        <description>Run GParted as root</description>
        <message>Authentication is required to run the GParted Partition Editor as root</message>
        <defaults>
            <allow_any>auth_admin</allow_any>
            <allow_inactive>auth_admin</allow_inactive>
            <allow_active>auth_admin</allow_active>
        </defaults>
        <annotate key="org.freedesktop.policykit.exec.path">/usr/bin/gparted</annotate>
        <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
    </action>
</policyconfig>

Note the two <annotate/> tags.

When this policy is installed, a simple pkexec /usr/bin/gparted is automatically assigned a different policykit "action ID" (so you can define different defaults, as well match it in custom rules). You also do not need to manually pass $DISPLAY – pkexec will copy all necessary variables automatically.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • Thanks a lot! Will try it ASAP and mark answer as accepted when I got it working. – David Feb 04 '20 at 14:29
  • Updated the question with the complete configuration and accepted your answer! Thanks again. – David Feb 04 '20 at 21:13
  • It just occurred to me that mouseover tooltips (like the text `A list of all 175 Stack Exchange sites` when you hover over the Stack Exchange icon at the very right of the top menu) are displayed as black boxes. I guess they are somehow created as a separated display element that lacks either the `$DISPLAY` variable or isn't allowed to "write" (?) to the display/session. Not too severe, but if you've got another hint, I'd be happy to know. – David Feb 04 '20 at 21:21
  • I just realized that sound does not work. I guess that's a similar problem to the missing `xhost` permissions. But adding the user to the `audio` or `pulse` groups does not work. Any clue on what to do? Do I need to run `pulse` in the [**very** disencouraged](https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/User/WhatIsWrongWithSystemWide/) [`SystemWide`](https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/User/SystemWide/) mode? – David Feb 21 '20 at 15:52
  • It's slightly less discouraged now that PA uses memfd internally. Aside from it, you could probably use PA's network audio support -- enable inbound connections via paprefs; firewall it to be only accessible to localhost; copy ~/.config/pulse/cookie to the target user; specify $PULSE_SERVER. – u1686_grawity Feb 21 '20 at 17:17