[solved] sudo root + su user in Wayland - No display

[musv]

Hi there,

I'm running a configuration with a LAN interface (eth) and a wifi interface (wifi). Via network namespaces I use 2 networks on my computer for different user:

• user A → eth0
• user B → wlan0

In X this worked without any problems. I used a keyboard shortcut to switch from user A to user B:

Code: Select all

sudo /usr/sbin/ip netns exec nswifi su - userb -c urxvt

Now I got a new computer and switched to KDE with Wayland. If I do this on Wayland:

Code: Select all

sudo /usr/sbin/ip netns exec nswifi su - userb -c urxvt
urxvt: can't open display :0, aborting.

To avoid this problem and additionally get Pipewire running, I tried ego (Gentoo-Forums).

That works, if I switch from userA→userB, but doesn't work for userA → sudo → userB.

How can I use graphical applications, e.g. Firefox/Chromium with userB?




----------- Explain Netnamespaces --------------

Code: Select all

ip netns add nswifi
ip netns exec nswifi ip addr add 127.0.0.1/8 dev lo
ip netns exec nswifi ip link set lo up
iw phy phy0 set netns name nswifi
ip netns exec nswifi ip link set wifi0 up
ip netns exec nswifi systemctl start wpa_supplicant
ip netns exec nswifi dhcpcd -C resolv.conf wifi0
ip netns exec nswifi su - userb -c urxvt

With that code I remove wifi0 from the default netnamespace, put wifi0 into nswifi netnamespace. And with the last command userB doesn't see anymore eth0 but can now use the network established for wifi0. Both networks don't see each other.

[musv]

Found this script:

https://github.com/vole-dev/grabbag/blo ... yland.bash

The discussion about this topic:
https://lemmy.world/post/10660985

It works. With some KI help I modified the script zu use a shared waypipe to no to create for every application a single waypipe:

Code: Select all

#!/usr/bin/env bash

set -e -o pipefail

ARG_NETNS=$1
ARG_USER=$2
export ARG_COMMAND=${@:3}

display_number=$(echo $DISPLAY | awk 'match($0,/^:([0-9]+)$/, a) { print a[1] }' | grep .)
display="/tmp/.X11-unix/X$display_number"


############
if [[ "$XDG_SESSION_TYPE" == "X11" ]]; then
    xhost +si:sm
    exec sudo /usr/bin/ip netns exec rtl su - sm -c "export DISPLAY=$display; /usr/bin/konsole"
    exit
fi

############

# path for permanent socket
BASE_DIR="/tmp/waypipe-persistent-$ARG_NETNS-$ARG_USER"
WAYPIPE="$BASE_DIR/waypipe"

cleanup_orphans() {
    # If process has been end but directory still exists
    if [ -d "$BASE_DIR" ] && [ -S "$WAYPIPE" ]; then
        if ! pgrep -f "waypipe -s $WAYPIPE client" > /dev/null; then
            echo "clean orphaned Socket..."
            rm -rf "$BASE_DIR"
        fi
    fi
}

cleanup_orphans

# create waypipe for the context 
if [ ! -S "$WAYPIPE" ]; then
    echo "Start new waypipe instance for user  $ARG_USER in $ARG_NETNS..."
    mkdir -p "$BASE_DIR"
    chmod 774 "$BASE_DIR"
    waypipe -s "$WAYPIPE" client &
    WAYPIPE_PID=$!

    # wait until socket is ready
    until [ -S "$WAYPIPE" ]; do
        if ! kill -0 "$WAYPIPE_PID" 2>/dev/null; then
            echo >&2 "waypipe closed before making socket"; exit 1; [cite: 5, 6]
        fi
        sleep 0.01
    done

    chgrp shared-display "$BASE_DIR" "$WAYPIPE" "$display"
    chmod g+w "$WAYPIPE" "$display"
else
    echo "Use existing waypipe $WAYPIPE"
fi

export WAYPIPE
export WAYPIPE_DIR="$BASE_DIR"

sudo -E ip netns exec "$ARG_NETNS" su - "$ARG_USER" --whitelist-environment=ARG_COMMAND,DISPLAY,WAYPIPE_DIR,WAYPIPE -c "$(cat <<'EOF_USER'
set -e -o pipefail
XDG_RUNTIME_DIR="$WAYPIPE_DIR-xdg"
export XDG_RUNTIME_DIR
# create XDG_RUNTIME_DIR only if not yet exists
if [ ! -d "$XDG_RUNTIME_DIR" ]; then
    mkdir -m 0700 "$XDG_RUNTIME_DIR"
fi
# Start application via existing Server Socket
waypipe -s "$WAYPIPE" server -- env $ARG_COMMAND
EOF_USER
)"

To use the script:

Code: Select all

usera ALL=(root) NOPASSWD: SETENV:/usr/bin/ip

Code: Select all

run-netns-user-wayland-shared destns userb gui_application

[musv]

Some additional hint:

To start Vivaldi browser in this environment, it has to be forced to start as a Wayland instance:

Code: Select all

vivaldi --ozone-platform=wayland