I use https://github.com/slingamn/namespaced-openvpn to have a isolated namespace and VPN connection

On X, these two steps would allow me to run a GUI program in the protected namespace. So I could have .e.g an IDE configuration for my main user/personal projects, and another entirely different instance of the same IDE for work because they use different users

sudo xhost '+si:localuser:user'
sudo ip netns exec protected sudo -u user -i

On Wayland, although the protected shell is created fine, GUI programs don’t start. E.g fgor Dolphin

error: XDG_RUNTIME_DIR is invalid or not set in the environment.
Failed to create wl_display (No such file or directory)

I’ve tried to preserve the env without success:


sudo -E ip netns exec protected sudo -u user -i

It seems that I access to the wayland socket is a must for this to work

This discussion has a nuke option - giving 777 access to the dir where the wayland socket is, and another less permissive approach adding the users to a group and giving access to a new location where the wayland socket is created

https://stackoverflow.com/questions/41736528/linux-wayland-display-multiple-user

Is this second approach secure? If not, which other steps could I take to achieve what I did in X?

  • @shadowintheday2OP
    link
    English
    210 months ago

    Sir, you’re awesome! Thank you a lot for taking your time and explaining what you have found I will try these steps when I have some free time to tinker, and the info and script you have provided has cleared a lot of questions that I had