What I’m Looking To Achieve:
Still newer to Linux, permissions is one of those things that screws with my head a lot still. What I am looking to do is, setup a new user on my system, and give it the bare minimum privileges specifically to play games. Therefore, those games and proprietary clients could not access any of my other files in certain cases. I understand an isolated system would be the best bet, but I do not have the hardware currently to do that. I figure a restricted user is better than none.
What The Restricted User Should Be Ideally:
The restricted user should only have access to the files it needs to run, it would need to be able to download clients (Lutris, Steam, Origin, etc), not be able to access all the files my main account can, be able to use stuff like WINE and Proton, and not be sandboxed/jailed.
My current setup is:
- OS: Artix Linux x86_64
- Kernel: 5.6.19.a-1-hardened
- WM: bspwm
I’d appeciate some slight handholding on this, as I said I am still new and learning and permissions is something that still confuses me greatly and I have not dealt with it much. I’m quite honestly not sure where to even start with all this, as I’m not sure what I would give the new user access too and wouldn’t as far as system files, would I add it to the sudoers group because otherwise it can’t download stuff correct? Is it not concerning that it would have access to use sudo defeating the purpose of the permissions? And I’m sure there’s other stuff I’m not even thinking of that I would run into when trying to do this. Would definitely appreciate help. If you have any questions, feel free to ask away. Thanks! :penguin:
Ah, I was not aware this worked like this. That makes it simpler.
Yes this is my concern, ok so I won’t do that.
So in the end let me ensure I have this correct, I go on my main user, install Steam, Lutris, Origin, whatever. Then I make a new user, say
gamer, what groups do I add it to? If I typegroupsall I have are two groups, one calledwheeland the other with my main username. After that, I justsuto that user when I want to play a game, then launch Lutris or what not as that user, and all should be good?What about stuff that autolaunches though? Like if I run Lutris as
gameruser, then I click a game, and it requires opening Steam, does it auto-open steam asgamer? Or does it open as my primary user? I’m not extremely in touch with how multi-user works, because I know if I open two terminals, I can be on my main user in one, and then another user in another, but if I open a new one, it is back to my primary user. So I just want to ensure the stuff I’m opening under thegameruser, stays asgamer. If I launch anything from Rofi, then I think it will open as my primary user? How do I deal with that as well?Well, you wouldn’t want to add it to the ‘wheel’ group. That’s what allows running sudo (though there would still be a password prompt).
I’m assuming, creating the user will add it into the group with its own name on your distro, so that should be fine. So, I wouldn’t add it to any group, though I also don’t have experience specifically with gaming. That just seems logical since your main user is also not in more groups.
And well, it doesn’t hurt to try it with less groups; you can always add groups later.
Well, same deal as before. A process launched by a user only has the same priviledges as that user, which means it can only launch processes as the same user, again. You yourself can only launch processes as another user, basically because you know the password of the priviledged user account (root). There’s also some special voodoo with sudo, to make that work more seamlessly, but yeah, generally a process cannot start another process under a different user (again, that would be a major security issue, if it was possible).
If you want to double-check, there’s likely a way to see in your task manager by which user each process was spawned.