What I’m Looking To Achieve:
Still newer to Linux, permissions is one of those things that screws with my head a lot still. What I am looking to do is, setup a new user on my system, and give it the bare minimum privileges specifically to play games. Therefore, those games and proprietary clients could not access any of my other files in certain cases. I understand an isolated system would be the best bet, but I do not have the hardware currently to do that. I figure a restricted user is better than none.
What The Restricted User Should Be Ideally:
The restricted user should only have access to the files it needs to run, it would need to be able to download clients (Lutris, Steam, Origin, etc), not be able to access all the files my main account can, be able to use stuff like WINE and Proton, and not be sandboxed/jailed.
My current setup is:
- OS: Artix Linux x86_64
- Kernel: 5.6.19.a-1-hardened
- WM: bspwm
I’d appeciate some slight handholding on this, as I said I am still new and learning and permissions is something that still confuses me greatly and I have not dealt with it much. I’m quite honestly not sure where to even start with all this, as I’m not sure what I would give the new user access too and wouldn’t as far as system files, would I add it to the sudoers group because otherwise it can’t download stuff correct? Is it not concerning that it would have access to use sudo defeating the purpose of the permissions? And I’m sure there’s other stuff I’m not even thinking of that I would run into when trying to do this. Would definitely appreciate help. If you have any questions, feel free to ask away. Thanks! :penguin:
Are you talking about clients like Steam, Origin, etc.? If yes, then you can install Steam, Lutris, Wine, etc. from you package manager and when you run them as a new user, they can only write inside your new home directory and won’t be able to read file in your main user’s home.
You can add your main user to the group with the same name as the new user and you should be able to read the new user’s files though I haven’t tried this ever.
Are you suggesting to make a
gaminggroup, then add my main user to it? Also read my above reply for more.No. If you do
ls -l <filename>, you’ll get an output like this:ks@ksvoid % ls -l avatar.jpg -rw-r--r-- 1 ks ks 380615 Mar 17 11:41 avatar.jpg | | | Group UserYou can have a group with the same name as the a user. If you make an account with the name
epicgamer, you can add your main user to theepicgamergroup. Then you can dochmod 750 /home/epicgamerso that whoever is in the groupepicgamerread the home folder. You can set the permission to770if you want write permission too. But you will have to experiment because I have not tried this before.No, I understand that is how you view permissions on a specific file/folder, I was saying that the only groups that seem to be on my system are
wheelandmainusername(when runinggroups). I don’t have thenetwork,audio,video,input, groups you mentioned above. Whether or not that matters, not sure.I am a little confused here, I understand what you are saying by adding my main user to the
epicgamergroup, then allowing read/execute permissions on the folder. But I am confused on what you are replying to here? Is this in response to my question onrsyncingthe save folder? If so, that makes sense.Now my only main concern I have left, is the multi-user question I mentioned above:
Sorry if this question is confusing, feel free to clarify about it, to give a proper response if you or whoever doesn’t understand. :penguin:
Yes.
Yes.
Yes. If you have steam installed as a system package (from your package manager or flatpak), it will be launched as process under your
gameruser.I was thinking more on the line that if you want to play a game, you will log out of your main user, log into
gamer, and start your game from there. Otherwise you’ll have to start it withsudo -u gamer steamwhich will start the process asgamer. I am not sure about using rofi with that. You’re gonna have to look into it. I feel this is where we were not on the same page but hopefully it’s cleared up. If this is not what you want I think it should give you some idea which direction to head in. Maybe someone else has a more solution for this.Yeah, I was trying to avoid this as this would mean I’d have to essentially close out of all my stuff I believe which I didn’t want to do.
I guess I could set some aliases up, or see if Rofi has any support for this, I know we’re slightly diving away from the original question but I do think it’s still relevant. But if anyone else comes along and has any ideas here I’d love to hear.
Edit: Upon running that command, I am receiving an error which looks to be related to display?
$ sudo -u gaming lutris Unable to load locale dir, translations won't work. No protocol specified Unable to init server: Could not connect: Connection refused No protocol specified Unable to init server: Could not connect: Connection refused No protocol specified Error: unable to open display :0 2020-07-08 15:21:04,254: glxinfo call failed: Command '['glxinfo', '-B']' returned non-zero exit status 255. 2020-07-08 15:21:04,255: No available glxinfo output 2020-07-08 15:21:04,255: Invalid glxinfo received 2020-07-08 15:21:04,516: Getting full game list from MAME... 2020-07-08 15:21:04,516: MAME XML generation launched in the background, not returning anything this time 2020-07-08 15:21:04,516: MAME isn't installed, can't retrieve systems list. No protocol specified Can't open display :0 2020-07-08 15:21:04,547: Unable to read xrandr: Command '['xrandr']' returned non-zero exit status 1. No protocol specified Unable to init server: Could not connect: Connection refused (lutris:10480): Gtk-WARNING **: 15:21:04.590: cannot open display: :0try this https://gist.github.com/kasunbg/5502cb630429819d07b5dc0cfa26813c
$ xhost + zsh: command not found: xhosthmmm…
LOL. On Void there is a package called
xhostwhich provides the binary.