Marko Randjelovic wrote: > > > gksudo -u user2 /usr/bin/links2 -g # does not work > > > > Needs a terminal. How can it work without one? It can't. Right at > > this point is where thing went wrong for you. links2 reads stdin and > > writes stdout and expects TERM to tell it what type of terminal escape > > sequences to use. But you have asked gksudo to launch it into the > > background. That can't work. You will end up with both your shell > > and the links2 program reading from your keyboard at the same time. > > Contrary to sudo behavior, gksudo understood -g option as itself option > and not, as I expected, as option for links2 to enable graphics mode.
links2 has a -g option? I did not know that. I just assumed that the -g was for gksudo -g,--disable-grab which disabled locking of the keyboard, mouse, and focus by the program asking for the password. Which is why in my example I moved it earlier in the command. But with your comment I am looking at links2 and now see that links2 does have a -g option to run in graphics mode. Sorry I didn't realize that previously. I thought links2 was like lynx, elinks, and w3m. Meaning a pure text mode browser. > This works: > > gksudo -u user2 "/usr/bin/links2 -g" Yay! With my misunderstanding of the intent cleared up the following works too: gksudo -u user2 -- links2 -g The "--" causes programs to stop parsing options. Therefore gksudo won't parse the -g as an option. It will stop at the "--" and then the following will be the command verbatim. Mostly I am chafing at having the full path "/usr/bin/links2" in there hard coded. Hard coded paths like that are almost always bad. Try it without. Even with the quoted form I think that is better. gksudo -u user2 "links2 -g" > > The above all suffer from the problem of running the text browser as > > root. Why are you trying to do this? I don't understand any benefit > > from doing so. And I see some problems with doing so. Please say a > > few words about what led you to doing it that way. Since it is a web > > browser it doesn't benefit you by running it as root. > > I am not running it as root, user2 != root. Darn on me. I was pretty sure I had a reason for the original problem and wanted to get a reply out and didn't spend the time to really read the rest of the message in detail. My bad. You had said user2 which obviously isn't root and it was my mistake that I didn't grok that plain-to-see point. Sorry. > There are many advantages of running every task with separate user > account. In general, you have better control, because you can > differentiate various tasks based on running user. Sure. My comment had been purely about running commands as root. But you were not running as root. My mistake. Sorry. > For example, you can tell iptables to allow port 80 from > web browser and not from other apps: > > iptables -P OUTPUT DROP > iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner web -j ACCEPT Sure. I don't prefer that type of restriction. For me it isn't practical. For example I have an endless number of things that I want to access the web. I would be playing wack-a-mole with all of them for a long time. Such as apt's sources.list file. Such as updating spamassassin rules. Such as many things. But if that works for you then that is great. I am not trying to talk you out of it. > Another example, if an attacker gets your web user account, he won't be > able to read your emails. If an attacker gets your web mail user account then they will probably access that web account from a different system. > So you will force him to get root privileges :) . ?? (He certainly doesn't need root. He just needs to use a different system.) I read that three times and don't get the joke. But that is okay! I don't need to understand it! :-) > In fact, your question sounds like you asked: "Why we have all those > user accounts in /etc/passwd since only root and normal user are > necessary" :) Nope. Nothing of that sort at all. It was simply my misunderstanding of the "-u user2" part which was plainly written and certainly isn't root. Just too much in a hurry sometimes. Bob
signature.asc
Description: Digital signature
