How to use gksu to safely run a non-open-source application?

[Jack Dodds <brmdamon aci on ca>]

I have a goal to have a pure open-source system on my home computer.

I'm using Debian Sarge, with Gnome as the desktop.

Problem is, some family members want to play streaming audio that is in 
a closed-source RealAudio format.

Nothing personal against Real Networks, but as a matter of principle, I 
do not want software that is not open source (i.e. the RealPlayer codec) 
having access to my files or theirs.  I don't know what the software is 
doing, and I feel that paranoia is a reasonable attitude.

My solution is to create a "non-secure" user called realplay, in a group 
called realplay.  This user is treated as hostile, and is not given 
access to any files of any other user. RealPlayer is installed in 
realplay's home directory.

On my own desktop I have created a launcher that runs gksu to run 
RealPlayer as user realplay.  I can even include the URL to the 
streaming audio location in the launcher.  It works just fine, and 
RealPlayer can't access my files (unless I specifically put them in 
group realplay).  (Or can it?  Am I naive in thinking that even though 
the RealPlayer window is visible on my Gnome desktop, RealPlayer can't 
access information which is owned by my user id?)

Problem is, the user has to enter realplay's password every time gksu is 
run.  This is a nuisance and also would compromise realplay's password 
if it had to be given to many users.

I have tried to run gksu from a script in which I send realplay's 
password from a file to sysin, but gksu doesn't like that - I get a 
message something like "Must be run from a terminal".  If I could run 
gksu from a script like this I could eliminate entry of the password.  I 
could also create a Mozilla "helper application" to play specific MIME 
types using RealPlayer running under its separate user id.

The obvious solution is to run the RealPlayer binary as user realplay 
using the suid permission  - but GTK+ does not honour the suid bit 
because that is deemed to be a security risk.  See 
http://www.gtk.org/setuid.html .

It seems that GTK+ does not support suid because suid is often used to 
execute programs with higher privileges than those of the user who runs 
them (e.g. suid root).  But in this case, I want to run RealPlayer with 
LOWER privileges than my own.  Would the arguments about suid creating a 
security risk apply in this scheme?  Do the same arguments apply to 
running RealPlayer using gksu?

Does anyone have any suggestions as to how I could more cleanly 
implement the idea of running a potentially "hostile" GTK application 
under its own low-privilege user id? What about he security risk of 
having a window from a "hostile" program running under another user id 
visible on my desktop?