On Sun, 13 Jan 2008 05:51:50 GMT, Robert M. Riches Jr. wrote:
> Sombody in this newsgroup has said several times that he has
> a separate user account from which he does all his web
> browsing. Do I remember correctly that Bit Twister is that
> person?

That would be the person.


> I'm trying to do that, but I have run into a problem. I
> have my sudoers file set up to allow running the "firefox"
> command as the second user.

No need to be playing in usdoers file.

> However, I get a message that Firefox cannot connect to the X server.

In my ~browser/.bash_profile, I have


if [ -z "$SSH_CLIENT" ] ; then
export DISPLAY=:0.0
fi


> What's the secret?

Fist thing to try is doing a ssh firefox_account@$(hostname)

and see if you get logged into the firefox account and if you can get
firefox to run.

I have a script to jump to a desktop, and if user is not running
kick off an xterm to do the ssh firelfox login.

Not part of your problem, but you may want to add your firefox account
to the audio group. If you password less login to the firefox account
via ssh, you can set a null password.


$ cat xbrowser
#************************************************* ***********
#*
#* log into another node as browser
#*
#************************************************* ***********

_user=browser
_target=$(hostname --fqdn)
_app=firefox
_browsing_desktop=2


dcop kwin default setCurrentDesktop $_browsing_desktop > /dev/null

sleep 1

pgrep -U $_user $_app
if [ $? -eq 0 ] ; then
exit 0
fi

_cmd="ssh $_user@$_target"

echo -e "\033]2;$(hostname --fqdn): $_user \007"

xterm -title $_user -display $DISPLAY -geom 30x3+439+439 \
-e $_cmd \
&

#****************** end xbrowser *************************

On 2008-01-13, Bit Twister wrote:
> On Sun, 13 Jan 2008 05:51:50 GMT, Robert M. Riches Jr. wrote:
>> Sombody in this newsgroup has said several times that he has
>> a separate user account from which he does all his web
>> browsing. Do I remember correctly that Bit Twister is that
>> person?
>
> That would be the person.

Good. Thanks.

>> I'm trying to do that, but I have run into a problem. I
>> have my sudoers file set up to allow running the "firefox"
>> command as the second user.
>
> No need to be playing in usdoers file.
>
>> However, I get a message that Firefox cannot connect to the X server.
>
> In my ~browser/.bash_profile, I have
>
>
> if [ -z "$SSH_CLIENT" ] ; then
> export DISPLAY=:0.0
> fi
>
>
>> What's the secret?
>
> Fist thing to try is doing a ssh firefox_account@$(hostname)
>
> and see if you get logged into the firefox account and if you can get
> firefox to run.
>
> I have a script to jump to a desktop, and if user is not running
> kick off an xterm to do the ssh firelfox login.
>
> Not part of your problem, but you may want to add your firefox account
> to the audio group. If you password less login to the firefox account
> via ssh, you can set a null password.

Ah, yes. I need to add the firefox account to the audio
group and a few other groups.

> $ cat xbrowser
> #************************************************* ***********
> #*
> #* log into another node as browser
> #*
> #************************************************* ***********
>
> ...

That script uses a very different approach. That script
uses ssh. Using ssh to run X clients is a relatively easy
thing to do, but it is my understanding that ssh introduces
significant encryption CPU burden and multiple process
switch latencies to tunnel the X stuff through ssh.

I'm trying to use sudo and/or su without ssh to avoid the
CPU burden and latency the ssh tunnel would involve. For
example,

su -l --command="xclock -digital" otheraccount

will run the xclock client from account 'otheraccount', but
(of course) requires a password. I want to use sudo to get
rid of the password entry, but I have yet to decipher the
man page sufficiently to find the incantation to do that.
So far, it appears 'su' handles the necessary xauth stuff,
but 'sudo' with a RunAs clause does not.

Any other suggestions that don't involve ssh?

Thanks.

--
Robert Riches
spamtrap42@verizon.net
(Yes, that is one of my email addresses.)

On Mon, 14 Jan 2008 19:29:22 GMT, Robert M. Riches Jr. wrote:
>
> Ah, yes. I need to add the firefox account to the audio
> group and a few other groups.

Hmm, what other groups if I might ask?

> That script uses a very different approach. That script
> uses ssh. Using ssh to run X clients is a relatively easy
> thing to do, but it is my understanding that ssh introduces
> significant encryption CPU burden and multiple process
> switch latencies to tunnel the X stuff through ssh.

I have not noticed that "significant encryption CPU burden and
multiple process switch latencies"


> will run the xclock client from account 'otheraccount', but
> (of course) requires a password. I want to use sudo to get
> rid of the password entry,

Yes, I set it up so ssh does not prompt for password for access.

> Any other suggestions that don't involve ssh?

That was reason for the script, on 2006.0, you could use rlogin with a
..rhosts file.

On 2007.0 and greater, rlogin require a kerbose server to use rlogin.

On 2008-01-14, Bit Twister wrote:
> On Mon, 14 Jan 2008 19:29:22 GMT, Robert M. Riches Jr. wrote:
>>
>> Ah, yes. I need to add the firefox account to the audio
>> group and a few other groups.
>
> Hmm, what other groups if I might ask?

Now that you mention it, maybe I don't need to add them to
any others. I had been thinking floppy, cdrom, usb, and
maybe video. On second thought, the firefox account
shouldn't need those. The other other account I'm setting
up, for playing with Eclipse (to keep its mess out of my
main account), will likely need at least some of them,
though.

>> That script uses a very different approach. That script
>> uses ssh. Using ssh to run X clients is a relatively easy
>> thing to do, but it is my understanding that ssh introduces
>> significant encryption CPU burden and multiple process
>> switch latencies to tunnel the X stuff through ssh.
>
> I have not noticed that "significant encryption CPU burden and
> multiple process switch latencies"

That's good. If I can't get anything outside ssh to work,
that will be good news.

>> will run the xclock client from account 'otheraccount', but
>> (of course) requires a password. I want to use sudo to get
>> rid of the password entry,
>
> Yes, I set it up so ssh does not prompt for password for access.
>
>> Any other suggestions that don't involve ssh?
>
> That was reason for the script, on 2006.0, you could use rlogin with a
> .rhosts file.
>
> On 2007.0 and greater, rlogin require a kerbose server to use rlogin.

I wouldn't think you would find setting a kerberos server
very difficult.

--
Robert Riches
spamtrap42@verizon.net
(Yes, that is one of my email addresses.)

Thanks for some ideas, Bit Twister, and perhaps others who
responded about setting up Firefox to run under another user
account. I think I have it working.

I had used tar to copy over my .mozilla to the new account.
The only extra work I found I needed was to reinstall
flashblock (for some reason, it had quit working), tweak the
default locale for the firefox account, and (as Bit Twister
pointed out) add the firefox account to the audio group.

In case it might help someone else, the big issue I had was
the command lines to sudo and su. It looks like su sets up
the XAUTHORITY stuff that sudo with a RunAs alias did not.
Here's what I put in sudoers, ROBOTHERUSERS and
ROBOTHERHOSTS being my main account name and the hostnames I
use:

Cmnd_Alias ROBSU2CMD = /bin/su -l rob2 , /bin/su -l rob2 -c *
ROBOTHERUSERS ROBOTHERHOSTS = NOPASSWD: ROBSU2CMD

Then, in my script that calls Firefox, I use the form

sudo /bin/su -l rob2 -c "firefox $arg"

--
Robert Riches
spamtrap42@verizon.net
(Yes, that is one of my email addresses.)

On Sun, 13 Jan 2008 05:51:50 GMT, Robert M. Riches Jr. wrote:
> Sombody in this newsgroup has said several times that he has
> a separate user account from which he does all his web
> browsing. Do I remember correctly that Bit Twister is that
> person?

Something else to consider is a clean install.

I use my accounts across other distributions and releases.
At one time first Mandrake assigned UID/GID was 500, then 501 on
another release. Some distributions start at 1000.

What I have done is start my accounts at 1500. Now on clean installs I
create an account, junk, su to root, and append my accounts to the
bottom of /etc/passwd,shadow,group,gshadow using cat. Example:

cat /rst/local/config/group_1500 >> /etc/group
cat /rst/local/config/gshadow_1500 >> /etc/gshadow
cat /rst/local/config/passwd_1500 >> /etc/passwd
cat /rst/local/config/shadow_1500 >> /etc/shadow

/rst is wherever the restore media/iso is mounted.

Here is the script to extract the 15xx accounts.

#!/bin/bash
#************************************************* *****************
#*
#* save_1500 - Saves 15?? uid/gid into /etc/*_1500
#*
#* saves 15?? uid/gid /etc/passwd,group,gshadow,shadow to /etc/*_1500
#*
#* To append/restore results after a clean install
#* cat /etc/group_1500 >> /etc/group
#* cat /etc/gshadow_1500 >> /etc/gshadow
#* cat /etc/passwd_1500 >> /etc/passwd
#* cat /etc/shadow_1500 >> /etc/shadow
#*
#************************************************* *****************
typeset -i i=o

_ifs_bkup="${IFS}"

function ld_ary
{
#**********************************************
#*
#* ld_ary - load array[] with first name from
#* each line from /etc/arg1_1500
#*
#* End of array[] contains --
#*
#**********************************************

_ary_fn=/etc/${1}_1500

IFS=":"
i=0

while read line ; do
set -- $line
array[$i]=$1
i=$(( $i + 1 ))
done < $_ary_fn

array[$i]="--"

IFS="${_ifs_bkup}"

} # end ld_ary

function gen_1500
{
#**********************************************
#*
#* gen_1500 - generate /etc/arg1_1500.
#*
#* reads /etc/arg1 file and any lines starting with
#* a name found in array[] are written to
#* /etc/arg1_1500 with the supplied arg2 perm.
#*
#**********************************************

_in_fn=/etc/$1
_out_fn=/etc/${1}_1500

/bin/cp /dev/null $_out_fn
chmod $2 $_out_fn

while read line ; do
_parse=$line
IFS=":"
set -- $_parse
IFS="${_ifs_bkup}"
i=0
while [ "${array[$i]}" != "--" ] ; do
if [ "${array[$i]}" = "$1" ] ; then
echo $line >> $_out_fn
break
fi
i=$(( $i + 1 ))
done

done < $_in_fn

IFS="${_ifs_bkup}"

} # end gen_1500

#***********************************
#*
#* Main code start here
#*
#***********************************

grep ':15' /etc/group | grep -v ':15:' | sort -n -t ':' --key=3 > /etc/group_1500
grep ':15' /etc/passwd | grep -v ':15:' | sort -n -t ':' --key=3 > /etc/passwd_1500

ld_ary group
gen_1500 gshadow 600

ld_ary passwd
gen_1500 shadow 600

#**************** end save_1500 **********************************

On 2008-01-18, Bit Twister wrote:
> On Sun, 13 Jan 2008 05:51:50 GMT, Robert M. Riches Jr. wrote:
>> Sombody in this newsgroup has said several times that he has
>> a separate user account from which he does all his web
>> browsing. Do I remember correctly that Bit Twister is that
>> person?
>
> Something else to consider is a clean install.
>
> I use my accounts across other distributions and releases.
> At one time first Mandrake assigned UID/GID was 500, then 501 on
> another release. Some distributions start at 1000.
>
> What I have done is start my accounts at 1500. Now on clean installs I
> create an account, junk, su to root, and append my accounts to the
> bottom of /etc/passwd,shadow,group,gshadow using cat. Example:
>
> cat /rst/local/config/group_1500 >> /etc/group
> cat /rst/local/config/gshadow_1500 >> /etc/gshadow
> cat /rst/local/config/passwd_1500 >> /etc/passwd
> cat /rst/local/config/shadow_1500 >> /etc/shadow
>
> /rst is wherever the restore media/iso is mounted.
>
> Here is the script to extract the 15xx accounts.
>
> ...

Clean installations are definitely the way to go. I also do
something similar (but a little less fancy) to put real user
accounts into each new installation.

--
Robert Riches
spamtrap42@verizon.net
(Yes, that is one of my email addresses.)