This post will be dedicated to showing you how to run Pidgin in a separate user account. You can apply this to other programs as well. I’ll be adding a bit later for setfacl and allowing for shared files between user accounts.
Why Are We Doing This?
There are three main benefits to running programs in a separate user account.
1) The Linux ACL system is user/group based therefor one user account is largely limited in its interaction with another.
2) The X11 system allows for key passing between all applications in a user group. You can restrict X11 access to specific users so, for a program that doesn’t need X11 access (ie: some service) we can run it in a separate user account and prevent keylogging through X11. Pidgin uses X11/ needs access so it unfortunately will not benefit from this.
3) IPTables can work as a group. While an outbound Firewall may be virtually useless for a typical system if you were to separate each application into its individual group you would essentially create an application firewall, allowing only specific groups to use specific ports. This is far better than the typical outbound Firewall setup that allows all applications to use any outbound port.
If I use ‘<username>’ I’m talking about your default username. If I use <username.program>’ I’m talking about, in this case, username.pidgin.
If you run your Pidgin as another user and someone links you to something and you click it the browser will open up under that user. There is likely a way around this by using setfacl but I haven’t gotten to that yet.
If someone sends you a file it will be in the other user accounts folder.
There is a distinct hit to your basic user convenience for the benefit of a potentially more secure system. If you are not looking for a hit in convenience I suggest you set up a comprehensive apparmor profile instead.
It’s quite easy to undo everything in this guide. You simply remove the user and use your old shortcut.
Let’s Get Started
The first thing we do is actually create the user. This is simple.
sudo adduser –force-badname <username.pidgin>
It doesn’t have to be username.pidgin it can be just pidgin or it can be ‘koala’ I really don’t actually care what you name it and neither does Linux. It’s purely organizational.
We need to give Pidgin X11 access, it’s a graphic program after all.
sudo xhost +SI:localuser:<username.pidgin>
If you ever want to remove that simply turn the + to a -.
This only gives access until a reboot. Anyone know how to make it permanent? Other than rc.local.
Now we create a shortcut to this new Pidgin. Open gedit and enter the following
Exec=gksu -u <username.pidgin> pidgin
Save it as pidgin.desktop. Make this file executable and put it somewhere safe. Add it to your launcher.
Now if you click that you’ll be prompted with a safe gksudo prompt for your password. If you don’t like this there’s a simple way around it.
Add the line:
<username> ALL = (<username.pidgin>) NOPASSWD: /usr/bin/pidgin
Now when you launch it there should be no password.
You can now create IPTables rules for this usergroup
iptables -A OUTPUT -m owner --uid-owner <username.pidgin> -j REJECT
And you should recreate your Apparmor profile for Pidgin as well. I highly recommend you still make use of Apparmor.
Allowing For Mutual File Access
I’ll write about setfacl here. I’ll get to it another time. Hopefully this will allow me to (safely) execute Google Chrome in a separate UID.
Removing User Account
To remove a user account just use deluser <username>
Most of this comes from (https://grepular.com/Protecting_Your_GNU_Linux_System_from_Dropbox) – great guide for doing this to Dropbox.