I use https://github.com/slingamn/namespaced-openvpn to have a isolated namespace and VPN connection

On X, these two steps would allow me to run a GUI program in the protected namespace. So I could have .e.g an IDE configuration for my main user/personal projects, and another entirely different instance of the same IDE for work because they use different users

sudo xhost '+si:localuser:user'
sudo ip netns exec protected sudo -u user -i

On Wayland, although the protected shell is created fine, GUI programs don’t start. E.g fgor Dolphin

error: XDG_RUNTIME_DIR is invalid or not set in the environment.
Failed to create wl_display (No such file or directory)

I’ve tried to preserve the env without success:


sudo -E ip netns exec protected sudo -u user -i

It seems that I access to the wayland socket is a must for this to work

This discussion has a nuke option - giving 777 access to the dir where the wayland socket is, and another less permissive approach adding the users to a group and giving access to a new location where the wayland socket is created

https://stackoverflow.com/questions/41736528/linux-wayland-display-multiple-user

Is this second approach secure? If not, which other steps could I take to achieve what I did in X?

  • @shadowintheday2OP
    link
    English
    2
    edit-2
    10 months ago

    Another thing to solve: XWayland apps as a different user

    Giving access to the wayland socket makes other users able to use wayland; however programs that rely on XWayland to work don’t seem to get it:

    
    Start Failed
    Failed to initialize graphics environment
    
    java.awt.AWTError: Can't connect to X11 window server using ':0' as the value of the DISPLAY variable.
            at java.desktop/sun.awt.X11GraphicsEnvironment.initDisplay(Native Method)
    

    Wine

    
    0120:fixme:kernelbase:AppPolicyGetThreadInitializationType FFFFFFFA, 0ECAFF08
    0128:err:winediag:nodrv_CreateWindow Application tried to create a window, but no driver could be loaded.
    0128:err:winediag:nodrv_CreateWindow L"The explorer process failed to start."
    0128:err:systray:initialize_systray Could not create tray window
    0114:err:winediag:nodrv_CreateWindow Application tried to create a window, but no driver could be loaded.
    0114:err:winediag:nodrv_CreateWindow L"Make sure that your X server is running and that $DISPLAY is set correctly."
    0114:fixme:kernelbase:AppPolicyGetProcessTerminationMethod FFFFFFFA, 0DE4FB40
    
    env | grep -i display
    WAYLAND_DISPLAY=wayland-0
    DISPLAY=:0