What I’m Looking To Achieve:

Still newer to Linux, permissions is one of those things that screws with my head a lot still. What I am looking to do is, setup a new user on my system, and give it the bare minimum privileges specifically to play games. Therefore, those games and proprietary clients could not access any of my other files in certain cases. I understand an isolated system would be the best bet, but I do not have the hardware currently to do that. I figure a restricted user is better than none.

What The Restricted User Should Be Ideally:

The restricted user should only have access to the files it needs to run, it would need to be able to download clients (Lutris, Steam, Origin, etc), not be able to access all the files my main account can, be able to use stuff like WINE and Proton, and not be sandboxed/jailed.

My current setup is:

  • OS: Artix Linux x86_64
  • Kernel: 5.6.19.a-1-hardened
  • WM: bspwm

I’d appeciate some slight handholding on this, as I said I am still new and learning and permissions is something that still confuses me greatly and I have not dealt with it much. I’m quite honestly not sure where to even start with all this, as I’m not sure what I would give the new user access too and wouldn’t as far as system files, would I add it to the sudoers group because otherwise it can’t download stuff correct? Is it not concerning that it would have access to use sudo defeating the purpose of the permissions? And I’m sure there’s other stuff I’m not even thinking of that I would run into when trying to do this. Would definitely appreciate help. If you have any questions, feel free to ask away. Thanks! :penguin:

  • Ephera
    link
    fedilink
    arrow-up
    1
    ·
    4 years ago

    If I installed the packages from my privileged user, would this not mean that those clients have access to the stuff of my privileged user though?

    It will be the unpriviledged user that starts the processes and therefore the processes will have the same limited priviledges.

    Also are there any other concerns besides $HOME that I should be considering?

    The /tmp-directory is also readable and writable by any normal user, but application developers should know to not put anything critical there.

    And what about specific directory rwx permissions? Would I have to set anything specific anywhere?

    Shouldn’t be necessary. The defaults for unpriviledged users are generally very limited already, as this same system is designed for separating not just your brother’s account from yours, but also for separating hundreds of users in universities (with various degrees of maliciousness), or for isolating vulnerable software e.g. you typically run a web server under its own user (though without logging out and back in as the new user, you just tell your OS to run this one process as that other user).

    Sure, it would be better, if you could identify specific directories that this user needs access to and only give it the minimally necessary permissions for that, but that would be a lot of work, especially since you want to run so many different applications.

    • gravityOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      4 years ago

      It will be the unpriviledged user that starts the processes and therefore the processes will have the same limited priviledges.

      Ah, I was not aware this worked like this. That makes it simpler.

      Sure, it would be better, if you could identify specific directories that this user needs access to and only give it the minimally necessary permissions for that, but that would be a lot of work, especially since you want to run so many different applications.

      Yes this is my concern, ok so I won’t do that.

      So in the end let me ensure I have this correct, I go on my main user, install Steam, Lutris, Origin, whatever. Then I make a new user, say gamer, what groups do I add it to? If I type groups all I have are two groups, one called wheel and the other with my main username. After that, I just su to that user when I want to play a game, then launch Lutris or what not as that user, and all should be good?

      What about stuff that autolaunches though? Like if I run Lutris as gamer user, then I click a game, and it requires opening Steam, does it auto-open steam as gamer? Or does it open as my primary user? I’m not extremely in touch with how multi-user works, because I know if I open two terminals, I can be on my main user in one, and then another user in another, but if I open a new one, it is back to my primary user. So I just want to ensure the stuff I’m opening under the gamer user, stays as gamer. If I launch anything from Rofi, then I think it will open as my primary user? How do I deal with that as well?

      • Ephera
        link
        fedilink
        arrow-up
        1
        ·
        4 years ago

        what groups do I add it to? If I type groups all I have are two groups, one called wheel and the other with my main username.

        Well, you wouldn’t want to add it to the ‘wheel’ group. That’s what allows running sudo (though there would still be a password prompt).

        I’m assuming, creating the user will add it into the group with its own name on your distro, so that should be fine. So, I wouldn’t add it to any group, though I also don’t have experience specifically with gaming. That just seems logical since your main user is also not in more groups.
        And well, it doesn’t hurt to try it with less groups; you can always add groups later.

        What about stuff that autolaunches though? Like if I run Lutris as gamer user, then I click a game, and it requires opening Steam, does it auto-open steam as gamer?

        Well, same deal as before. A process launched by a user only has the same priviledges as that user, which means it can only launch processes as the same user, again. You yourself can only launch processes as another user, basically because you know the password of the priviledged user account (root). There’s also some special voodoo with sudo, to make that work more seamlessly, but yeah, generally a process cannot start another process under a different user (again, that would be a major security issue, if it was possible).

        If you want to double-check, there’s likely a way to see in your task manager by which user each process was spawned.