3

I didn't want to give access to some sensitive directories when executing proprietary programs from snap. This is what I've done so far:

  1. Created a new user and limit read/write access to main /home directory and some other directories
  2. Added X access to other user for GUI applications, via xhost +si:localuser:[user 2]
  3. su into the other user and run the command

Unfortunately for some programs write access is required for /run/user/1000, which is owned by the main user. For example running skype from snap.
What's the problem here? Why doesn't the new user just create a new run/user directory? I'm not too familiar with these concepts so a detailed explanation/fix would be very appreciated.

Xosrov
  • 141
  • 1
  • 7

1 Answers1

1

It seems su [user 2] keeps the current shell's environmental variables when switching to another user. To fix this problem, I had to use su - [user 2].
To make sure the new shell works fine, some additional steps are needed after step 2 of original post.

  1. Set appropriate DISPLAY environmental variable. run echo $DISPLAY on [user 1]'s shell. Set the same display for [user 2] as well. For example by running export DISPLAY=:0.0 for [user 2]'s shell.

  2. [optional] If you see errors like this in programs like Skype: cannot create directory '/run/user/1001': Permission denied, then just create that directory with appropriate permissions and ownership. For example for creating run/user/1001 run these commands (assuming it doesn't exist):

#make sure you're not overriding existing directory properties!
mkdir /run/user/1001
chown -R [user 2]:[user 2]
chmod g-rwx 1001
chmod o-rwx 1001

Thanks to the commenters on original post for help with this answer

Xosrov
  • 141
  • 1
  • 7