Find the answer to your Linux question:
Results 1 to 8 of 8
I'm quite new to Linux, so please bear with me. For security reasons, I am using sudo to run my browser in non-root "sandbox" accounts. Question: How can I make ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2010
    Posts
    5

    [SOLVED] make audio work with sudo?


    I'm quite new to Linux, so please bear with me.
    For security reasons, I am using sudo to run my browser in non-root "sandbox" accounts.
    Question: How can I make audio work in this setup?

    More details:
    Audio works fine when opening the browser in my normal user account, or when logging on to the other accounts and opening the browser there. But it does not work using sudo to run the browser in those accounts, though in other respects browsing is fine.

    I'm running the most recent version of Mandriva-One with KDE-4 on a 32-bit machine. Sound is using alsa and pulseaudio.

    What I've done:
    1. Have made some changes in permissions which are probably irrelevant to my question, i.e. set permissions so that I can read and write the sandbox accounts, but such that they cannot read or write my home directory or /media.

    2. Relevant changes to sudoers file:
    Code:
    User_Alias  X_USERS = my-account-name
    
    Defaults:X_USERS env_reset
    Defaults:X_USERS env_keep += DISPLAY
    Defaults:X_USERS env_keep += XAUTHORITY
    3. The script to open browser as the sandbox user:
    Code:
    xhost +local:sandbox
    sudo -u sandbox -H firefox -no-remote
    As mentioned, this works fine, except for audio. I get similar results in trying to use Firefox or Opera this way, or even VLC to play a local file. Typcially everything is fine until I try to play an audio file. The audio plays for a few seconds, then stops. Running in a console gives this result:

    Code:
    $ xhost +local:sandbox   
    $ sudo -u sandbox -H firefox -no-remote 
    ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect: Connection refused
    
    kmozillahelper(9683): couldn't create slave: "Unable to create io-slave:
    klauncher said: Unknown protocol ''.
    " 
    kmozillahelper(9683): couldn't create slave: "Unable to create io-slave:
    klauncher said: Unknown protocol ''.

    I have tried adding myself and the sandbox accounts to the audio group, which makes no difference.
    To see what would happen, I also tried using sudo to run Firefox as root. (I realize that in general this is not a good idea, though I used the NoScript AddIn to disable script for the session). In any case, that worked, suggesting that the problem may be with permissions rather than environment variables. But what permissions?

    I am grateful for any insights, because I would like to make this work.

  2. #2
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    i'm guessing that they set up pulse audio to run "the right way" meaning that it is initialized on a per user basis rather than as a system wide service

    so the problem is, the pulse audio sound server is set up and runs as the user that is logged in currently, then when you use sudo to run firefox as another user they can't access it

    i don't really know how to remedy it though

  3. #3
    Just Joined!
    Join Date
    Sep 2010
    Posts
    5
    Thank you, Coopstah, for your reply!
    My hope is this: since audio does work when using sudo to run Firefox as root, perhaps the problem could be solved by giving the sandbox users some specific permissions--then sudo might work to run Firefox as a sandbox user.
    But I have no idea what permissions, or whether this is even possible.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    Try adding the sandbox user to the group of your logged in user

    This might negate what you are trying to accomplish though

  6. #5
    Just Joined!
    Join Date
    Sep 2010
    Posts
    5
    Good idea! That could give some useful information even though ultimately, as you say, it might defeat the purpose of this setup. The details are below, but the result was that I could play sound even though there were some error messages.

    I suppose I could add the sandbox user to my group, and then set permissions on my home directory such that only I have access, and not my group. That could be workable, though the ideal would be to set the exact permissions necessary for the sandbox account to send audio with no errors, and nothing more.
    And by the way: thank you VERY MUCH for your input!

    Here are the results of the experiment:
    I added the sandbox user to my group and rebooted too.
    Then running firefox this way in a console results in:

    Code:
    $ xhost +local:sandbox   
    $ sudo -u sandbox -H firefox -no-remote 
    ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect: Connection refused
    BUT the sound does continue to play. I hadn't mentioned before that typically, even when the sandbox user was not a member of my group, sound would have been playing at this point despite the error message. The subsequent error messages did NOT come up this time:

    Code:
    ##these messages did NOT appear this time, and sound continued to play.
    kmozillahelper(9683): couldn't create slave: "Unable to create io-slave:
    klauncher said: Unknown protocol ''.
    Also tried it with VLC. Similar results: I could hear audio despite several error messages, and a segfault when the player was closed:

    Code:
    $ sudo -u sandbox -H vlc
    <snipping some output>
    [0x882f8b8] pulse audio output error: Failed to connect to server: Connection refused
    ALSA lib pulse.c:229:(pulse_connect) PulseAudio: Unable to connect: Connection refused
    
    Cannot connect to server socket err = No such file or directory
    Cannot connect to server socket
    jack server is not running or cannot be started
    [0x882f8b8] jack audio output error: failed to connect to JACK server
    Segmentation fault

  7. #6
    Linux Guru coopstah13's Avatar
    Join Date
    Nov 2007
    Location
    NH, USA
    Posts
    3,149
    i would look into running pulse audio as a service, rather than having it run for logged in user, then it should work without these other workarounds

  8. #7
    Just Joined!
    Join Date
    Sep 2010
    Posts
    5
    Sounds like a promising solution.
    After reading your suggestion, I've started to look for information on running pulse audio as a service and think I need to look for Mandriva-specific information. May take me a few days, but will eventually post a report here.
    Again, many thanks for the help!!

  9. #8
    Just Joined!
    Join Date
    Sep 2010
    Posts
    5
    It seems to be working! (and see the edit at the end too)

    Though I did not end up doing exactly what you said (the system-wide instance was not necessary), your comments definitely helped lead me to a solution.

    From the Pulse Audio site, I was encouraged that running the system-wide instance of Pulse Audio should work, though they did discourage it (you probably knew that, in view of your remark that Pulse should be run per-user).

    I had been thinking of migrating to Arch Linux, and decided to go ahead since it would be easier to figure out the configuration there than with Mandriva. Not only that, but the Arch Wiki, because of security concerns about Skype, suggested setting up Skype to run in a special account, very similar to what I wanted to do with my browser. They also mentioned the possiblity of using AppArmor or Tomoyo to restrict what an application (Firefox, Skype, ...) can do. That would have been a reasonable alternative for me.

    Anyway, after installing Pulseaudio and related packages, putting my users in the several pulse groups, and setting up the sudoers file as before, it worked. The same thing in Mandriva did not work, probably because of a non-standard Pulse Audio installation. In Arch, it was necessary to fiddle with the Pulse Audio settings, and also to start Pulse Audio in both my account and the sandbox account. I believe the system-wide instance would have worked too, and felt it would have been reasonably easy to figure out how to do that with the plain-vanilla Arch installation.

    The ALSA site also has an interesting suggestion in their asound.conf documentation about using dmix to share sound between different consoles, but that did not work for me. I'm using a very simple /etc/asound.conf (see below), with no per-user .asoundrc files.

    Interesting aside: On Arch and several other distributions that I have tried, there was a weird problem with sound: playback was OK, but recording was slowed down. For some reason I don't understand, as soon as Pulse Audio was installed and ALSA was configured to use Pulse, that problem went away.

    So again, thanks for your help! As a new user, it's reassuring to know that expert people are willing to share their knowledge.

    Code:
    #/etc/asound.conf
    # Use PulseAudio by default
    pcm.!default {
      type pulse
    }
    
    ctl.!default {
      type pulse
    }
    
    # Explicit PulseAudio device
    pcm.pulse {
      type pulse
    }
    
    ctl.pulse {
      type pulse
    }
    
    # vim:set ft=alsaconf:

    EDIT:
    Taking what I learned from fixing the problem on Arch, I now have been able to fix it on Mandriva. It was necessary to (1) change Pulse Audio preferences (which can be done by executing "paprefs" in a console) and (2) start pulseaudio in the other (sandbox) account, i.e.
    Code:
    # first adjust preferences to allow access:
    paprefs
    #then start service in other account
    sudo -u sandbox -H pulseaudio --start
    Last edited by btitus; 10-05-2010 at 05:45 AM. Reason: further useful info on solution

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •