App runs slower and looks odd when using 'runuser' command
-
I have a GUI app which is supposed to be run by an unprivileged user from a "secure" folder.
To run the app as the unprivileged user, I run the following script# Set environemnt-directory(?), to use 'primary-user' data. export XDG_RUNTIME_DIR=/run/user/1000 cd /path/to/secure/directory ./appI also use a "bootstraper" script which runs the above script when using the computer as the unprivileged user.
sudo runuser *privileged*-user -c '/path/to/RunAppScript.sh'This mostly works, other than the fact that the app runs significantly slower, and that fonts and icons look strange. It's similar to what would happen if I ran it through
sudo(Only that withsudoI don't get performance issues). If I run the app directly as the unprivileged user (Something that I can't do in production), it works fine.What I tried so far:
Setting a global app style by runningqApp->setStyle(), as suggested here.Setting up .icons, .themes. and .fonts folders in home directories of both my users.
I made sure that I'm running the binary in "Release" mode.
So far nothing. Any help is very appreciated.
-
@Paul-Colby
So I've got those images. Hopefully they convey what I mean when I say when it looks odd.Couple of things though, I tried changing the font.
When I run the program withrunuser(or any of its derivatives), I noticed that the fonts are somewhat similar but different in a way I don't understand.This how one of the programs is expected to look under normal circumstances, i.e. when the "privileged-user" runs it (Assuming that the privileged-user is currently the one who is logged in to the computer).
This is how the program actually looks like when we run it as root, or using
runuser,sudo -u, etc..
It's as if when running it not as the user currently logged-in, QT doesn't respect the style applied for fonts and Icons.
Also, about that command you suggested, it still has the same problems.
But I'll probably use it, because it is simpler.@Josef-Lintz
Just chipping in, may be helpful, maybe not!I'm a little surprised that anything works running a UI program as a user other that one who actually logged into the X desktop, but apparently it does. But not surprisingly is picking up something different from somewhere.
I have not heard of/used
runuser. @Paul-Colby has recommendedsudo -u ..., but you say that is still not right. I would have triedsudo -E -u ..., does that make any difference? -
Hi,
Would setting the suid bit work ?
-
(Sorry for the late reply, I was off work)
That's actually the very first thing I tried a while ago, before even going the route of using scripts.The bootstraper was at first a simple C++ program which ran as root and used
setreuidto change to the appropriate user (Here, for example).But unfortunately it had the exact same problems as I've described here.
-
Strange...
Can you explain your use case ?
Is it something started as the root user ?
Is it something that is started automatically at startup ? -
Strange...
Can you explain your use case ?
Is it something started as the root user ?
Is it something that is started automatically at startup ?@SGaist
I'm working on a computer system which has two loginsOne login is the "administrator", i.e. "primary user".
The 2nd login is reserved for customer use.All (relevant) binaries are located inside the administrator's
~/binaries/[program_name]directory/ies (Don't ask me why, I'm not the one who built it like that) because we don't want the customer to access the company/program configuration files.The customer doesn't have permissions to read/write anything inside the administrator's home directory.
Is it something started as the root user ?
To run the program which initializes the system as the customer, I either have to run the program using sudo by allowing the customer to (only) run the program as root without password (Which we do now, and that's a problem).
Or (As the customer) use a "bootstrapper" script/program as I've described above, to run the program as the system-admin (primary user).Is it something that is started automatically at startup ?
It might have to run at startup, but if the underlying issue is taken care of, then I can add the program to startup-programs.
Also, one more note which I forgot to mention.
We're using a somewhat older version of Ubuntu,16.04. -
Hum...
I don't know if it would be something doable but would a dbus service help in this case ?
Your client application would only have to request the service to do what is reserved to the administrator user and it could be run as any other user without requiring any access to the "private area" of the administrator account nor the use of sudo.
-
I'm curious about the "looks odd" bit... if you could show use screenshots of both, that might give some clues? I appreciate that the app in question is probably sensitive, so even just one of the basic Qt sample apps might help.
Also, since you are already using
sudo, is it any better if you skip the intermediaterunusercommand, like:sudo -u *privileged*-user '/path/to/RunAppScript.sh'Paul.
-
Hum...
I don't know if it would be something doable but would a dbus service help in this case ?
Your client application would only have to request the service to do what is reserved to the administrator user and it could be run as any other user without requiring any access to the "private area" of the administrator account nor the use of sudo.
@SGaist
I'll have to look into it. I've never heard of that term -
I'm curious about the "looks odd" bit... if you could show use screenshots of both, that might give some clues? I appreciate that the app in question is probably sensitive, so even just one of the basic Qt sample apps might help.
Also, since you are already using
sudo, is it any better if you skip the intermediaterunusercommand, like:sudo -u *privileged*-user '/path/to/RunAppScript.sh'Paul.
@Paul-Colby
I'll see what I can do about that image, it'll have to wait for tomorrow, unfortunately.I'll try that command, when I'm at work again
-
I'm curious about the "looks odd" bit... if you could show use screenshots of both, that might give some clues? I appreciate that the app in question is probably sensitive, so even just one of the basic Qt sample apps might help.
Also, since you are already using
sudo, is it any better if you skip the intermediaterunusercommand, like:sudo -u *privileged*-user '/path/to/RunAppScript.sh'Paul.
@Paul-Colby
So I've got those images. Hopefully they convey what I mean when I say when it looks odd.Couple of things though, I tried changing the font.
When I run the program withrunuser(or any of its derivatives), I noticed that the fonts are somewhat similar but different in a way I don't understand.This how one of the programs is expected to look under normal circumstances, i.e. when the "privileged-user" runs it (Assuming that the privileged-user is currently the one who is logged in to the computer).
This is how the program actually looks like when we run it as root, or using
runuser,sudo -u, etc..
It's as if when running it not as the user currently logged-in, QT doesn't respect the style applied for fonts and Icons.
Also, about that command you suggested, it still has the same problems.
But I'll probably use it, because it is simpler. -
@Paul-Colby
So I've got those images. Hopefully they convey what I mean when I say when it looks odd.Couple of things though, I tried changing the font.
When I run the program withrunuser(or any of its derivatives), I noticed that the fonts are somewhat similar but different in a way I don't understand.This how one of the programs is expected to look under normal circumstances, i.e. when the "privileged-user" runs it (Assuming that the privileged-user is currently the one who is logged in to the computer).
This is how the program actually looks like when we run it as root, or using
runuser,sudo -u, etc..
It's as if when running it not as the user currently logged-in, QT doesn't respect the style applied for fonts and Icons.
Also, about that command you suggested, it still has the same problems.
But I'll probably use it, because it is simpler.@Josef-Lintz
Just chipping in, may be helpful, maybe not!I'm a little surprised that anything works running a UI program as a user other that one who actually logged into the X desktop, but apparently it does. But not surprisingly is picking up something different from somewhere.
I have not heard of/used
runuser. @Paul-Colby has recommendedsudo -u ..., but you say that is still not right. I would have triedsudo -E -u ..., does that make any difference? -
@Josef-Lintz
Just chipping in, may be helpful, maybe not!I'm a little surprised that anything works running a UI program as a user other that one who actually logged into the X desktop, but apparently it does. But not surprisingly is picking up something different from somewhere.
I have not heard of/used
runuser. @Paul-Colby has recommendedsudo -u ..., but you say that is still not right. I would have triedsudo -E -u ..., does that make any difference?@JonB
It seems that when settingexport XDG_RUNTIME_DIR=/run/user/1000In the script, adding the unprivileged-user to the xhost doesn't make much difference, other than that, in general, I make sure that the user unprivileged-user is included in xhost "whitelist".
⠀However,
sudo -E -u ..., worked perfectly, it seems like-Ewas the key.
I was sure thatexport XDG_RUNTIME_DIR=/run/user/1000also sets the environment, but I was wrong.
I cannot thank you enough, this has been a problem for months now.For future readers, the complete steps to allow an unprivileged-user to execute a program from folder which he doesn't have permissions to read/execute are as follows:
First, add the unprivileged-user to the
sudoersfile by runningsudo visudo, Then add the following lines:# This allows 'unprivileged-user' to *only* run 'app' as 'privileged-user' without having to type-in a password. unprivileged-user computer=(privileged-user) NOPASSWD:SETENV: /bin/bash -c cd path/to/secure/folder; ./appThen, create a simple script which has the following command
sudo -E -u privileged-user bash -c 'cd path/to/secure/folder; ./app(Of course, modify as needed)
-
@JonB
It seems that when settingexport XDG_RUNTIME_DIR=/run/user/1000In the script, adding the unprivileged-user to the xhost doesn't make much difference, other than that, in general, I make sure that the user unprivileged-user is included in xhost "whitelist".
⠀However,
sudo -E -u ..., worked perfectly, it seems like-Ewas the key.
I was sure thatexport XDG_RUNTIME_DIR=/run/user/1000also sets the environment, but I was wrong.
I cannot thank you enough, this has been a problem for months now.For future readers, the complete steps to allow an unprivileged-user to execute a program from folder which he doesn't have permissions to read/execute are as follows:
First, add the unprivileged-user to the
sudoersfile by runningsudo visudo, Then add the following lines:# This allows 'unprivileged-user' to *only* run 'app' as 'privileged-user' without having to type-in a password. unprivileged-user computer=(privileged-user) NOPASSWD:SETENV: /bin/bash -c cd path/to/secure/folder; ./appThen, create a simple script which has the following command
sudo -E -u privileged-user bash -c 'cd path/to/secure/folder; ./app(Of course, modify as needed)
@Josef-Lintz said in App runs slower and looks odd when using 'runuser' command:
However, sudo -E -u ..., worked perfectly, it seems like it -E was the key.
That is what I would have used.
-Etellssudoto inherit the environment of the caller; without it a new environment for thesudouser is created. That will not be the same as the environment which is set up if that user actually logged into X desktop, like the original user did. Now, there are doubtless items in the environment of the caller related to being logged onto the X desktop which are needed in the context of thesudoshell/command, hence probably required to make a UI program work. If you really want to look at all the differences, do anenv | sortfrom each ofsudowith and without the-Eand compare. -
@Josef-Lintz said in App runs slower and looks odd when using 'runuser' command:
However, sudo -E -u ..., worked perfectly, it seems like it -E was the key.
That is what I would have used.
-Etellssudoto inherit the environment of the caller; without it a new environment for thesudouser is created. That will not be the same as the environment which is set up if that user actually logged into X desktop, like the original user did. Now, there are doubtless items in the environment of the caller related to being logged onto the X desktop which are needed in the context of thesudoshell/command, hence probably required to make a UI program work. If you really want to look at all the differences, do anenv | sortfrom each ofsudowith and without the-Eand compare.@JonB
I see, so when I runsudo -E -u privileged-user bash -c 'cd path/to/secure/folder; ./appas the unprivileged-user, the environment is set to that of the user who executed the command?
But the program is run as the 'privileged-user '? Have I understood correctly?Also, while experimenting I observed something odd.
This problem only affects QT, we have a GUI app which uses wxWidgets/GTK and it doesn't to be bothered by which environment its using.What exactly in QT is so "sensitive" to the "changes" in environment?
-
@JonB
I see, so when I runsudo -E -u privileged-user bash -c 'cd path/to/secure/folder; ./appas the unprivileged-user, the environment is set to that of the user who executed the command?
But the program is run as the 'privileged-user '? Have I understood correctly?Also, while experimenting I observed something odd.
This problem only affects QT, we have a GUI app which uses wxWidgets/GTK and it doesn't to be bothered by which environment its using.What exactly in QT is so "sensitive" to the "changes" in environment?
@Josef-Lintz said in App runs slower and looks odd when using 'runuser' command:
Have I understood correctly?
Yes. Without
-Eit creates a brand new environment for the root user not based on the user who is logged into the X windows. With-Eit carries the current user's environment over to the root shell.The problem is likely that something in the original logged on environment is required to work correctly with desktop/X but is wrong or not appearing without
-E. Like I said, if you want to try to understand do anenv | sortonce fromsudo -s ...and once fromsudo -E -s .... Whatever environment variables are different are potential culprits.Since this is environment variables there could be differences about what does/does not matter between "wxWidgets/GTK" versus Qt, so stuff works OK for one but not the other.
-
J Josef Lintz referenced this topic on
