What I’m Looking To Achieve:

Still newer to Linux, permissions is one of those things that screws with my head a lot still. What I am looking to do is, setup a new user on my system, and give it the bare minimum privileges specifically to play games. Therefore, those games and proprietary clients could not access any of my other files in certain cases. I understand an isolated system would be the best bet, but I do not have the hardware currently to do that. I figure a restricted user is better than none.

What The Restricted User Should Be Ideally:

The restricted user should only have access to the files it needs to run, it would need to be able to download clients (Lutris, Steam, Origin, etc), not be able to access all the files my main account can, be able to use stuff like WINE and Proton, and not be sandboxed/jailed.

My current setup is:

  • OS: Artix Linux x86_64
  • Kernel: 5.6.19.a-1-hardened
  • WM: bspwm

I’d appeciate some slight handholding on this, as I said I am still new and learning and permissions is something that still confuses me greatly and I have not dealt with it much. I’m quite honestly not sure where to even start with all this, as I’m not sure what I would give the new user access too and wouldn’t as far as system files, would I add it to the sudoers group because otherwise it can’t download stuff correct? Is it not concerning that it would have access to use sudo defeating the purpose of the permissions? And I’m sure there’s other stuff I’m not even thinking of that I would run into when trying to do this. Would definitely appreciate help. If you have any questions, feel free to ask away. Thanks! :penguin:

  • ksynwa
    link
    fedilink
    arrow-up
    1
    ·
    4 years ago

    I am not sure about this so go through what I type and let me know if something sounds incorrect.

    I think you should just create a new user. You can add it to network audio video input bluetooth groups as you see fit. You shouldn’t need to give it sudo permissions. You can install software from your package manager using a privileged user.

    If you do this, software you run as this new user shouldn’t have access to the files in your main user’s $HOME. It won’t have sudo permissions to do funky shit.

    It would at least minimise some chances of attack.

    • gravityOP
      link
      fedilink
      arrow-up
      1
      ·
      4 years ago

      You shouldn’t need to give it sudo permissions. You can install software from your package manager using a privileged user.

      If you do this, software you run as this new user shouldn’t have access to the files in your main user’s $HOME. It won’t have sudo permissions to do funky shit.

      If I installed the packages from my privileged user, would this not mean that those clients have access to the stuff of my privileged user though? Also are there any other concerns besides $HOME that I should be considering? And what about specific directory rwx permissions? Would I have to set anything specific anywhere?

      Would my main user be able to access all of the gaming user’s directories, for example if I wanted to rsync a folder that the gaming user makes full of saves, as my main user, to another computer, without letting those files access my main user besides throughout the rsync process, is this possible? I assume this would not be of issue?

      • Ephera
        link
        fedilink
        arrow-up
        1
        ·
        4 years ago

        If I installed the packages from my privileged user, would this not mean that those clients have access to the stuff of my privileged user though?

        It will be the unpriviledged user that starts the processes and therefore the processes will have the same limited priviledges.

        Also are there any other concerns besides $HOME that I should be considering?

        The /tmp-directory is also readable and writable by any normal user, but application developers should know to not put anything critical there.

        And what about specific directory rwx permissions? Would I have to set anything specific anywhere?

        Shouldn’t be necessary. The defaults for unpriviledged users are generally very limited already, as this same system is designed for separating not just your brother’s account from yours, but also for separating hundreds of users in universities (with various degrees of maliciousness), or for isolating vulnerable software e.g. you typically run a web server under its own user (though without logging out and back in as the new user, you just tell your OS to run this one process as that other user).

        Sure, it would be better, if you could identify specific directories that this user needs access to and only give it the minimally necessary permissions for that, but that would be a lot of work, especially since you want to run so many different applications.

        • gravityOP
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          4 years ago

          It will be the unpriviledged user that starts the processes and therefore the processes will have the same limited priviledges.

          Ah, I was not aware this worked like this. That makes it simpler.

          Sure, it would be better, if you could identify specific directories that this user needs access to and only give it the minimally necessary permissions for that, but that would be a lot of work, especially since you want to run so many different applications.

          Yes this is my concern, ok so I won’t do that.

          So in the end let me ensure I have this correct, I go on my main user, install Steam, Lutris, Origin, whatever. Then I make a new user, say gamer, what groups do I add it to? If I type groups all I have are two groups, one called wheel and the other with my main username. After that, I just su to that user when I want to play a game, then launch Lutris or what not as that user, and all should be good?

          What about stuff that autolaunches though? Like if I run Lutris as gamer user, then I click a game, and it requires opening Steam, does it auto-open steam as gamer? Or does it open as my primary user? I’m not extremely in touch with how multi-user works, because I know if I open two terminals, I can be on my main user in one, and then another user in another, but if I open a new one, it is back to my primary user. So I just want to ensure the stuff I’m opening under the gamer user, stays as gamer. If I launch anything from Rofi, then I think it will open as my primary user? How do I deal with that as well?

          • Ephera
            link
            fedilink
            arrow-up
            1
            ·
            4 years ago

            what groups do I add it to? If I type groups all I have are two groups, one called wheel and the other with my main username.

            Well, you wouldn’t want to add it to the ‘wheel’ group. That’s what allows running sudo (though there would still be a password prompt).

            I’m assuming, creating the user will add it into the group with its own name on your distro, so that should be fine. So, I wouldn’t add it to any group, though I also don’t have experience specifically with gaming. That just seems logical since your main user is also not in more groups.
            And well, it doesn’t hurt to try it with less groups; you can always add groups later.

            What about stuff that autolaunches though? Like if I run Lutris as gamer user, then I click a game, and it requires opening Steam, does it auto-open steam as gamer?

            Well, same deal as before. A process launched by a user only has the same priviledges as that user, which means it can only launch processes as the same user, again. You yourself can only launch processes as another user, basically because you know the password of the priviledged user account (root). There’s also some special voodoo with sudo, to make that work more seamlessly, but yeah, generally a process cannot start another process under a different user (again, that would be a major security issue, if it was possible).

            If you want to double-check, there’s likely a way to see in your task manager by which user each process was spawned.

      • ksynwa
        link
        fedilink
        arrow-up
        1
        ·
        4 years ago

        would this not mean that those clients have access to the stuff of my privileged user though?

        Are you talking about clients like Steam, Origin, etc.? If yes, then you can install Steam, Lutris, Wine, etc. from you package manager and when you run them as a new user, they can only write inside your new home directory and won’t be able to read file in your main user’s home.

        Would my main user be able to access all of the gaming user’s directories

        You can add your main user to the group with the same name as the new user and you should be able to read the new user’s files though I haven’t tried this ever.

        • gravityOP
          link
          fedilink
          arrow-up
          1
          ·
          edit-2
          4 years ago

          You can add your main user to the group with the same name as the new user

          Are you suggesting to make a gaming group, then add my main user to it? Also read my above reply for more.

          • ksynwa
            link
            fedilink
            arrow-up
            1
            ·
            4 years ago

            No. If you do ls -l <filename>, you’ll get an output like this:

            ks@ksvoid %  ls -l avatar.jpg
            -rw-r--r-- 1 ks ks 380615 Mar 17 11:41 avatar.jpg
                         |  |
                         |  Group
                         User
            

            You can have a group with the same name as the a user. If you make an account with the name epicgamer, you can add your main user to the epicgamer group. Then you can do chmod 750 /home/epicgamer so that whoever is in the group epicgamer read the home folder. You can set the permission to 770 if you want write permission too. But you will have to experiment because I have not tried this before.

            • gravityOP
              link
              fedilink
              arrow-up
              2
              ·
              4 years ago

              No. If you do ls -l <filename>, you’ll get an output like this:

              No, I understand that is how you view permissions on a specific file/folder, I was saying that the only groups that seem to be on my system are wheel and mainusername (when runing groups). I don’t have the network, audio, video, input, groups you mentioned above. Whether or not that matters, not sure.

              you can add your main user to the epicgamer group. Then you can do chmod 750 /home/epicgamer so that whoever is in the group epicgamer read the home folder. You can set the permission to 770 if you want write permission too. But you will have to experiment because I have not tried this before.

              I am a little confused here, I understand what you are saying by adding my main user to the epicgamer group, then allowing read/execute permissions on the folder. But I am confused on what you are replying to here? Is this in response to my question on rsyncing the save folder? If so, that makes sense.

              Now my only main concern I have left, is the multi-user question I mentioned above:

              What about stuff that autolaunches though? Like if I run Lutris as gamer user, then I click a game, and it requires opening Steam, does it auto-open steam as gamer? Or does it open as my primary user? I’m not extremely in touch with how multi-user works, because I know if I open two terminals, I can be on my main user in one, and then another user in another, but if I open a new one, it is back to my primary user. So I just want to ensure the stuff I’m opening under the gamer user, stays as gamer. If I launch anything from Rofi, then I think it will open as my primary user? How do I deal with that as well?

              Sorry if this question is confusing, feel free to clarify about it, to give a proper response if you or whoever doesn’t understand. :penguin:

              • ksynwa
                link
                fedilink
                arrow-up
                1
                ·
                4 years ago

                I am a little confused here, I understand what you are saying by adding my main user to the epicgamer group, then allowing read/execute permissions on the folder.

                Yes.

                Is this in response to my question on rsyncing the save folder? If so, that makes sense.

                Yes.

                if I run Lutris as gamer user, then I click a game, and it requires opening Steam, does it auto-open steam as gamer?

                Yes. If you have steam installed as a system package (from your package manager or flatpak), it will be launched as process under your gamer user.

                I know if I open two terminals, I can be on my main user in one, and then another user in another, but if I open a new one, it is back to my primary user.

                I was thinking more on the line that if you want to play a game, you will log out of your main user, log into gamer, and start your game from there. Otherwise you’ll have to start it with sudo -u gamer steam which will start the process as gamer. I am not sure about using rofi with that. You’re gonna have to look into it. I feel this is where we were not on the same page but hopefully it’s cleared up. If this is not what you want I think it should give you some idea which direction to head in. Maybe someone else has a more solution for this.

                • gravityOP
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  edit-2
                  4 years ago

                  I was thinking more on the line that if you want to play a game, you will log out of your main user, log into gamer, and start your game from there.

                  Yeah, I was trying to avoid this as this would mean I’d have to essentially close out of all my stuff I believe which I didn’t want to do.

                  sudo -u gamer steam

                  I guess I could set some aliases up, or see if Rofi has any support for this, I know we’re slightly diving away from the original question but I do think it’s still relevant. But if anyone else comes along and has any ideas here I’d love to hear.

                  Edit: Upon running that command, I am receiving an error which looks to be related to display?

                  $ sudo -u gaming lutris
                  Unable to load locale dir, translations won't work.
                  No protocol specified
                  Unable to init server: Could not connect: Connection refused
                  No protocol specified
                  Unable to init server: Could not connect: Connection refused
                  No protocol specified
                  Error: unable to open display :0
                  2020-07-08 15:21:04,254: glxinfo call failed: Command '['glxinfo', '-B']' returned non-zero exit status 255.
                  2020-07-08 15:21:04,255: No available glxinfo output
                  2020-07-08 15:21:04,255: Invalid glxinfo received
                  2020-07-08 15:21:04,516: Getting full game list from MAME...
                  2020-07-08 15:21:04,516: MAME XML generation launched in the background, not returning anything this time
                  2020-07-08 15:21:04,516: MAME isn't installed, can't retrieve systems list.
                  No protocol specified
                  Can't open display :0
                  2020-07-08 15:21:04,547: Unable to read xrandr: Command '['xrandr']' returned non-zero exit status 1.
                  No protocol specified
                  Unable to init server: Could not connect: Connection refused
                  
                  (lutris:10480): Gtk-WARNING **: 15:21:04.590: cannot open display: :0