How to use gksu to safely run a non-open-source application?

I have a goal to have a pure open-source system on my home computer.

I'm using Debian Sarge, with Gnome as the desktop.

Problem is, some family members want to play streaming audio that is in a closed-source RealAudio format.

Nothing personal against Real Networks, but as a matter of principle, I do not want software that is not open source (i.e. the RealPlayer codec) having access to my files or theirs. I don't know what the software is doing, and I feel that paranoia is a reasonable attitude.

My solution is to create a "non-secure" user called realplay, in a group called realplay. This user is treated as hostile, and is not given access to any files of any other user. RealPlayer is installed in realplay's home directory.

On my own desktop I have created a launcher that runs gksu to run RealPlayer as user realplay. I can even include the URL to the streaming audio location in the launcher. It works just fine, and RealPlayer can't access my files (unless I specifically put them in group realplay). (Or can it? Am I naive in thinking that even though the RealPlayer window is visible on my Gnome desktop, RealPlayer can't access information which is owned by my user id?)

Problem is, the user has to enter realplay's password every time gksu is run. This is a nuisance and also would compromise realplay's password if it had to be given to many users.

I have tried to run gksu from a script in which I send realplay's password from a file to sysin, but gksu doesn't like that - I get a message something like "Must be run from a terminal". If I could run gksu from a script like this I could eliminate entry of the password. I could also create a Mozilla "helper application" to play specific MIME types using RealPlayer running under its separate user id.

The obvious solution is to run the RealPlayer binary as user realplay using the suid permission - but GTK+ does not honour the suid bit because that is deemed to be a security risk. See .

It seems that GTK+ does not support suid because suid is often used to execute programs with higher privileges than those of the user who runs them (e.g. suid root). But in this case, I want to run RealPlayer with LOWER privileges than my own. Would the arguments about suid creating a security risk apply in this scheme? Do the same arguments apply to running RealPlayer using gksu?

Does anyone have any suggestions as to how I could more cleanly implement the idea of running a potentially "hostile" GTK application under its own low-privilege user id? What about he security risk of having a window from a "hostile" program running under another user id visible on my desktop?

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]