Discussion:
X11-app after su - ... Next issue, caused by snap
(too old to reply)
Markus Robert Kessler
2024-01-01 18:50:07 UTC
Permalink
Hi all,
I have suspected pam authentication already, and in the meantime I
compared Mageia and Raspbian more deeply regarding the entries in /etc/
pam.d.
I found out, that adding this line
session optional pam_xauth.so
to the front of /etc/pam.d/su
solves this issue. I've also tested this on Ubuntu successfully.
Fine.

I can 'su - newuser' to invoke every other GUI based application like
xclock or even firefox running under a different UID.

Except chromium browser. There I get the following:

[14 ***@ubuntu-bc-esp1 ~]$ su - test1
Password:

[7 ***@ubuntu-bc-esp1 ~]$ chromium-browser
/user.slice/user-1000.slice/session-3.scope is not a snap cgroup

So, this is obviously caused by some kind of "snap" mechanism, which
chromium is build up on.

And, yes, I know that a compromised desktop will not prevent a 'su -
newuser'-ed session within the same desktop from being monitored or
hacked.

But, I try to keep my different accounts apart from each other to avoid
interference and other side effects like overwriting.

Should one try to get a non-snap-version, or
can this issue be solved somehow?

Thanks!

Best regards,

Markus
Markus Robert Kessler
2024-01-15 19:19:36 UTC
Permalink
It seems that what I've described is a common problem coming along with
every "snap"-ed application. No real solution in sight, at least no
approach regarding the root cause.

But there is a workaround: Besides snapd-related "chromium browser" there
is also a non-snap version "chromium" (not to confuse with "chrome" which
is closed source, coming from google).

I removed the first one and installed the non-snap one.
Now, everything works as needed.

Markus
Post by Markus Robert Kessler
Hi all,
I have suspected pam authentication already, and in the meantime I
compared Mageia and Raspbian more deeply regarding the entries in /etc/
pam.d.
I found out, that adding this line
session optional pam_xauth.so
to the front of /etc/pam.d/su
solves this issue. I've also tested this on Ubuntu successfully.
Fine.
I can 'su - newuser' to invoke every other GUI based application like
xclock or even firefox running under a different UID.
/user.slice/user-1000.slice/session-3.scope is not a snap cgroup
So, this is obviously caused by some kind of "snap" mechanism, which
chromium is build up on.
And, yes, I know that a compromised desktop will not prevent a 'su -
newuser'-ed session within the same desktop from being monitored or
hacked.
But, I try to keep my different accounts apart from each other to avoid
interference and other side effects like overwriting.
Should one try to get a non-snap-version, or can this issue be solved
somehow?
Thanks!
Best regards,
Markus
--
Please reply to group only.
For private email please use http://www.dipl-ing-kessler.de/email.htm
red floyd
2024-01-16 02:51:03 UTC
Permalink
Post by Markus Robert Kessler
It seems that what I've described is a common problem coming along with
every "snap"-ed application. No real solution in sight, at least no
approach regarding the root cause.
But there is a workaround: Besides snapd-related "chromium browser" there
is also a non-snap version "chromium" (not to confuse with "chrome" which
is closed source, coming from google).
I removed the first one and installed the non-snap one.
Now, everything works as needed.
Markus
Chromium is the base open-source browser. Chrome is Google's
proprietary version.

Loading...