Hello dears.
I have on my Fedora 2 user accounts:
- 1st user account that created during fresh installation of Fedora 24 (I’m upgraded my OS using command line since that till now & currently I’m on Fedora 32). This account has “su” / “sudo” / “polkit” powers (full root power).
- 2nd user account that I created it in specific way so that to be an isolated user account that can I run within it Windows games & application through WineHQ safely from risks of viruses & other harmful programs that could be run by WineHQ. This 2nd user is called “wineuser”. By default fedora configured so that any newly created user will be of no ability to use “sudo”. I further expand security on my system by disable “su” also for every newly created user. I did this by:
sudo vi /etc/pam.d/su
then uncomment the following line:
#auth required pam_wheel.so use_uid
to be just
auth required pam_wheel.so use_uid
I’m already did that before creation of “wineuser”. So, “wineuser” has no “su” power.
I extended the security & isolation of “wineuser” by disable it from use polkit to achieve root power. I did this by run following command after creation of “wineuser”:
sudo setfacl -m u:wineuser:— /usr/libexec/polkit-gnome-authentication-agent-1
Due to large sizes of new Windows games, I bought new SSD that I run it by install it inside external enclosure & connect enclosure through it’s specific cable to my laptop build in USB port. I bought this new SSD to install Windows games within it by make WineHQ prefix set by default to this new SSD.
After I bought new SSD, I format it from within my 1st user account (which has full power user), & I selected Ext4 as a filesystem. It was formated correctly without error & has no problem regarding read/write with my 1st user account.
The problem started when I login to “wineuser” & connected new SSD to my laptop. “wineuser” has no any right neither to read nor to write to the new SSD. I discovered that Ext4 filesystem has user & group owner ship security layer … I did not know about this before ! When I launch my laptop then directly login to “wineuser” then connect a USB stick or memory card with FAT32 / exFAT / NTFS I has no problem neither in read nor in write. But when I connect new SSD (Ext4) & tried to open it I received error message “you has no permission to read/write from this drive”.
I run “getfacl” command while external SSD was connected to laptop while I was login to my 1st user account. The output is bellow:
$ getfacl /run/media/my1stusername/external_ssd_name
getfacl: Removing leading '/' from absolute path names
# file: run/media/my1stusername/external_ssd_name
# owner: my1stusername
# group: my1stusername
user::rwx
group::---
other::---
Then I powered my laptop OFF then powered it ON & login directly to “wineuser”. Then I run “getfacl” command from within “wineuser” while I’m connecting external SSD to laptop. It gavve me exactly exactly same output:
$ getfacl /run/media/wineuser/external_ssd_name
getfacl: Removing leading '/' from absolute path names
# file: run/media/wineuser/external_ssd_name
# owner: my1stusername
# group: my1stusername
user::rwx
group::---
other::---
I conclude at 1st that I can manage this issue by using “setfacl” command from within 1st user account while new SSD mounted on it as following:
sudo setfacl -m u:wineuser:rwx /run/media/my1stusername/external_ssd_name
But later on I stop myself from doing that due to the following concerns:
- does the performing the “setfacl” command in the way given above can allow “wineuser” to penetrate the way to my 1st user account ?? I mean by that: does including the path
"/run/media/my1stusername/"
will open the door or a backdoor for “wineuser” to penetrate to my 1st user account ?? If yes, then I will never perform this because it will break every thing from which I created “wineuser”. I like “wineuser” to be completely separated from 1st user account [& any other user(s) that I may created in feature] & not penetrate to it (them). - if I apply “setfacl” command, then does it will continue to be valid if I change name of my SSD later on ?
- is there a better alternative way than “setfacl” command without breaking isolation feature of “wineuser” ?
If “setfacl” is dangerous & no other way, then I’m very ready to re-format SSD using NTFS filesystem & get out from this headache. In fact what make me so stick to Ext4 filesystem is that I read in Internet it is slightly faster than NTFS filesystem.
Thank you for your kind support.