2

How (on earth) do I run Chromium as the nobody user? Selected failures (in Openbox):

su nobody chromium 

This account is currently not available

sudo -u nobody chromium 

[0316/203558.490760:FATAL:chrome_main_delegate.cc(442)] Check failed: process_type.empty(). Unable to get the user data directory for process type: zygote ...

sudo -u nobody chromium --user-data-dir=/root 

No protocol specified

[595:595:0316/203827.174040:ERROR:browser_main_loop.cc(279)] Gtk: cannot open display: :0

sudo -u nobody chromium --user-data-dir=/home 

No protocol specified

[615:615:0316/203909.792019:ERROR:browser_main_loop.cc(279)] Gtk: cannot open display: :0

My specs:

Linux arch 4.10.1-1-ARCH #1 SMP PREEMPT Sun Feb 26 21:08:53 UTC 2017 x86_64 GNU/Linux Chromium 57.0.2987.98

cat /etc/passwd: ... nobody:x:99:99:nobody:/:/usr/bin/nologin ... 

I prefer nobody because running Chromium as root is strongly discouraged and it seems to stupid to create a user just for running Chromium

UPDATE:

xhost local:root; su -pc 'env -i DISPLAY="${DISPLAY}" chromium' nobody 

run by root in an X session works (if you want to make local connections to X server as root, local:root is much safer than +). Still, there were two errors:

Home directory not accessible: Permission denied [629:629:0323/170000.968320:ERROR:child_thread_impl.cc(762)] Request for unknown Channel-associated interface: ui::mojom::GpuMain

Get rid of the first one w/

mkdir /home/nobody; chown -R nobody:nobody /home/nobody; su -pc 'env -i DISPLAY="${DISPLAY}" HOME=/home/nobody chromium' nobody 

1 Answer 1

2

As the user whose current X session is up:

$ xhost + $ su - -c "DISPLAY=\"${DISPLAY}\" /bin/sh" 

The first step, xhost +, allows any user to connect to the current X session1. The second step is unnecessary if you were already root2. Next, you will change to nobody and run chromium:

# su -p -c "env -i DISPLAY=\"${DISPLAY}\" chromium" nobody 

The -p preserves the environment, allowing the locked user to "log in". Then env -i clears the environment, which is probably more secure but may or may not be what you want.


1 I assume there is a way to grant access only to a specific other user, but I don't know what it is.
2 Common practice is to create a non-root account for typical day-to-day activities, only switching to root for administrative tasks.

3
  • I see you skipped the "change to nobody" part. su nobody gives "This account is currently not available" (see the text); sudo -u nobody -s works but doesn't influence the result, which will be (w/ or w/out it, and after completing all your steps) "Chromium can not be run as root" Commented Mar 19, 2017 at 20:20
  • @jaam Well, almost. Merely a typo, not forgetting. See edit. This does work and has been tested — the -p is what allows the locked user to log in. You definitely don't want to use sudo -s. Commented Mar 19, 2017 at 20:23
  • @jaam Well, I should say "almost tested" — I don't have chromium installed, so I used xev. firefox (my preferred browser) doesn't work with the -i switch of env, and I also had to create some directories to get firefox to start. Chromium may have similar issues. I ended up creating /nobody with owner and group nobody, permissions 700 and also passed HOME=/nobody to env. Commented Mar 19, 2017 at 22:07

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.