Markus Robert Kessler
2024-01-01 18:50:07 UTC
Hi all,
I can 'su - newuser' to invoke every other GUI based application like
xclock or even firefox running under a different UID.
Except chromium browser. There I get the following:
[14 ***@ubuntu-bc-esp1 ~]$ su - test1
Password:
[7 ***@ubuntu-bc-esp1 ~]$ chromium-browser
/user.slice/user-1000.slice/session-3.scope is not a snap cgroup
So, this is obviously caused by some kind of "snap" mechanism, which
chromium is build up on.
And, yes, I know that a compromised desktop will not prevent a 'su -
newuser'-ed session within the same desktop from being monitored or
hacked.
But, I try to keep my different accounts apart from each other to avoid
interference and other side effects like overwriting.
Should one try to get a non-snap-version, or
can this issue be solved somehow?
Thanks!
Best regards,
Markus
I have suspected pam authentication already, and in the meantime I
compared Mageia and Raspbian more deeply regarding the entries in /etc/
pam.d.
I found out, that adding this line
session optional pam_xauth.so
to the front of /etc/pam.d/su
solves this issue. I've also tested this on Ubuntu successfully.
Fine.compared Mageia and Raspbian more deeply regarding the entries in /etc/
pam.d.
I found out, that adding this line
session optional pam_xauth.so
to the front of /etc/pam.d/su
solves this issue. I've also tested this on Ubuntu successfully.
I can 'su - newuser' to invoke every other GUI based application like
xclock or even firefox running under a different UID.
Except chromium browser. There I get the following:
[14 ***@ubuntu-bc-esp1 ~]$ su - test1
Password:
[7 ***@ubuntu-bc-esp1 ~]$ chromium-browser
/user.slice/user-1000.slice/session-3.scope is not a snap cgroup
So, this is obviously caused by some kind of "snap" mechanism, which
chromium is build up on.
And, yes, I know that a compromised desktop will not prevent a 'su -
newuser'-ed session within the same desktop from being monitored or
hacked.
But, I try to keep my different accounts apart from each other to avoid
interference and other side effects like overwriting.
Should one try to get a non-snap-version, or
can this issue be solved somehow?
Thanks!
Best regards,
Markus