4

Q: How do I grant permissions to /dev/video* and /dev/snd/* to a second user, user2 when logged in interactively as user1?

I have written a wrapper for sudo that clones the XAuthority settings, and allows me to run desktop commands as a different user. The working part of it is simply running sudo with the supplied parameters:

sudo -u user2 $somecommand

However, user2 cannot use the sound or video devices, since udev has only granted them to the logged in user user1. It is possible to grant these permissions after the fact with one of these commands:

sudo setfacl -m group:user2:rwx /dev/video0 /dev/snd/* sudo setfacl -m user:user2:rwx /dev/video0 /dev/snd/*

This code has to be run every session, but I would like these permissions to be granted to both user1 and user2 when user1 starts new display manager session.

The application for this is to run somewhat untrusted programs such as browser, chat client, mail agent, and voip and webcam clients as separate users, while still allowing those programs to access the desktop and the video and sound devices. I continually end up running skype chat without sound and video capabilities :(

Improve this question
1
  • This should be handled via policykit. What distribution are you using? Are you logging in via a display manager? Commented Mar 17, 2014 at 20:47

2 Answers 2

Reset to default
0

The solution to this problem should be sudo, too.

You put these commands in a file which only root can modify or replace and allow both users to execute it as root without password.In the startup scripts you make this sudo call then.

Improve this answer
1
  • This solution seems more like the right thing™ to do, since setting up sudo to allow one user to become another will require root access anyhow. It also allows the scheme to rely on one security tool instead of two... Commented Mar 26, 2014 at 13:00
0

Why don't you simply add both user1 and user2 to the "video" and "audio" groups?

This of course assumes that your linux is set up so that "is member of group video" implies "can access video devices". If the group and group permissions of /dev/video* and /dev/audio* fit, that should work...

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.