Friday, November 30, 2012

sudoers for secure and insecure

run browsers as different users.  Previously I didn't need to customize /etc/sudoers since my user had NOPASSWD:ALL.  I'm stepping away from that insecure (but convenient) practice now, so just doing

  sudo -H -u insecure chromium-browser

won't work anymore since it'll require a password, I won't type one in, and it'll fail.

Now I need to add some entries to /etc/sudoers (sudo visudo)

  tiger ALL=(secure,insecure) NOPASSWD: /usr/bin/chromium-browser

and all works again.

Thursday, November 15, 2012

RALink wifi drivers

Our new laptop (an HP Pavilion G6-2119TU) has been prone to crashing once or twice a day (four times today) because the wifi driver for it is unstable.  I'm hoping that the driver from RALink is more stable.

Had to recompile from source, so posting the link here so I can find it again for when I need to rebuild the module on kernel upgrades or whenever I upgrade Mint.

Sunday, November 11, 2012

multi user pulse audio

Because I run browsers as different users I need all three different users to be able to play sound and by default pulse will only allow the currently logged in user to play sound.

To let all three users play sound (usually when I click on a flash video or stream play music from Pandora) it's sufficient to edit /etc/default/pulseaudio, set  PULSEAUDIO_SYSTEM_START=1, and then restart pulse (with a logout/login or an X restart).

On Mint that port isn't accessible to the network by default.  if it is though, then add appropriate iptables rules so that network access is disabled.

Any local users will now be able to access pulse, so only do this if you trust your local users.

In 2016, the way to do this is now via paprefs.  Install the paprefs package and run paprefs as the main user (i.e., I'd run it as tiger and allow localhost only access to sound).

Do this only if you trust all users on the machine.

Saturday, November 10, 2012

xhost for specific local user only

On Linux (Mint, lately, but also Ubuntu and others) I run my browsers as three different users.

  • When browsing sites that need high security (online banking, etc) I use the browser when logged in as myself, 
  • For regular browsing of important but not financial sites (gmail, facebook, etc) I run a browser as a user named "secure" (could be any other name).  
  • For likely insecure browsing (reddit, etc) I run a browser as a user named "insecure"
Previously I would have a shell script that did:

  ssh -X secure@localhost

with public key auth.  Lately I'd switched to a script that did:

  xhost +

instead so I could just

  sudo -H -u secure chromium-browser

but that's not too secure.  I finally broke down and read the xhost manual and am now doing it the right way with:

  xhost +si:localuser:secure
  xhost +si:localuser:insecure

which at least limits the xhost permission to just those two users.