overview for shadowintheday2

addressing misconceptions about the recent TunnelVision vulnerability in c/[email protected]

[-] [email protected] 3 points 1 month ago* (last edited 1 month ago)

Sure, someone helped me setting up a script to share the wl socket between namespaces so I can run GUI programs in isolated namespaces, and if you look at this post you can check the namespaced-openvpn; also check vole's answer if you want to run GUI programs

addressing misconceptions about the recent TunnelVision vulnerability in c/[email protected]

[-] [email protected] 5 points 1 month ago

Thank you for summarizing it up

I've been using network namespaces in Linux where each one also use a different user; this way you can have multiple profiles of apps separated not only by permissions but also by the VPN connection that is the only route out

So you can have a connection that will supply your favorite iso sharer, a VPN connection to work, all unaware of each ot

I still haven't figured how to make GUI media applications work on them though

Alsa multimedia inside namespace in c/[email protected]

[-] [email protected] 1 points 2 months ago

It seems that a namespace only has access to process that originates inside itself

systemctl --user list-units 
Failed to connect to bus: No medium found

as we can see, the same user doesn't have access to other processes so we would need to duplicate every process above the namespace until we could acess the media

would duplicate of everything - pulsewire, dbus, etc - even work ?

13

Alsa multimedia inside namespace (lemmy.world)

submitted 2 months ago by [email protected] to c/[email protected]

1 comments fedilink

I have created a network namespace to separate connections through a VPN, and it runs as the same user account as I use for everything else; however, it is not able to play music/use microphone

inside the namespace:


aplay -l  
card 2: Generic_1 [HD-Audio Generic], device 0: ALCS1200A Analog [ALCS1200A Analog]
  Subdevices: 0/1
  Subdevice #0: subdevice #0
card 2: Generic_1 [HD-Audio Generic], device 1: ALCS1200A Digital [ALCS1200A Digital]
  Subdevices: 1/1
  Subdevice #0: subdevice #0


arecord -l

card 2: Generic_1 [HD-Audio Generic], device 0: ALCS1200A Analog [ALCS1200A Analog]
  Subdevices: 0/1
  Subdevice #0: subdevice #0
card 2: Generic_1 [HD-Audio Generic], device 2: ALCS1200A Alt Analog [ALCS1200A Alt Analog]
  Subdevices: 1/1
  Subdevice #0: subdevice #0

I also tried running as another user, but the effect is the same, which is why for simplicity I resorted to using the same user that can play/record normally

what should I look for in configuring it ?

Vim Lands XDG Base Directory Specification Support in c/[email protected]

[-] [email protected] 2 points 2 months ago

Relevant

Noob Question Thread: Ask Any Questions About Linux! in c/[email protected]

[-] [email protected] 1 points 2 months ago

you install program A, it needs and installs libpotato then later you install program B that depends on libfries, and libfries depends on libpotato, however since you already have libpotato installed, only program B and libfries are installed The intelligence behind this is called a package manager

In windows when you install something, it usually installs itself as a standalone thing and complains/reaks when dependencies are not met - e.g having to install Visual C++ 2005-202x for games, JRE for java programs etc

instead of making you install everything that you need to run something complex, the package manager does this for you and keep tracks of where files are

and each package manager/distribution has an idea of where some files be stored

2

Wayland running GUI program as another user (lemmy.world)

submitted 5 months ago* (last edited 1 month ago) by [email protected] to c/[email protected]

0 comments fedilink

I use https://github.com/slingamn/namespaced-openvpn to have a isolated namespace and VPN connection

On X, these two steps would allow me to run a GUI program in the protected namespace. So I could have .e.g an IDE configuration for my main user/personal projects, and another entirely different instance of the same IDE for work because they use different users

sudo xhost '+si:localuser:user'
sudo ip netns exec protected sudo -u user -i

On Wayland, although the protected shell is created fine, GUI programs don't start. E.g fgor Dolphin

error: XDG_RUNTIME_DIR is invalid or not set in the environment.
Failed to create wl_display (No such file or directory)

I've tried to preserve the env without success:


sudo -E ip netns exec protected sudo -u user -i

It seems that I access to the wayland socket is a must for this to work

This discussion has a nuke option - giving 777 access to the dir where the wayland socket is, and another less permissive approach adding the users to a group and giving access to a new location where the wayland socket is created

https://stackoverflow.com/questions/41736528/linux-wayland-display-multiple-user

Is this second approach secure? If not, which other steps could I take to achieve what I did in X?