Root launching vncserver as different user
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I have a system I'm administering that is shared by many users, each having a separate VNC session. So far they've been launching their own VNC servers from SSH, but I'd rather be the only one able to spin up new servers.
In other words, I want the root user to be the only one with permission to run vncserver. The problem I'm facing is how to run a vnc session for a user while keeping the vncserver program unavailable for the users to run it.
I've checked the docs of both vncserver and Xvnc and I haven't found any option resembling --user or something similar.
Is this even possible?
vnc
asked Jun 22 at 11:12
José Tomás Tocino
1256
add a comment |Â
up vote
0
down vote
favorite
I have a system I'm administering that is shared by many users, each having a separate VNC session. So far they've been launching their own VNC servers from SSH, but I'd rather be the only one able to spin up new servers.
In other words, I want the root user to be the only one with permission to run vncserver. The problem I'm facing is how to run a vnc session for a user while keeping the vncserver program unavailable for the users to run it.
I've checked the docs of both vncserver and Xvnc and I haven't found any option resembling --user or something similar.
Is this even possible?
vnc
asked Jun 22 at 11:12
José Tomás Tocino
1256
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have a system I'm administering that is shared by many users, each having a separate VNC session. So far they've been launching their own VNC servers from SSH, but I'd rather be the only one able to spin up new servers.
In other words, I want the root user to be the only one with permission to run vncserver. The problem I'm facing is how to run a vnc session for a user while keeping the vncserver program unavailable for the users to run it.
I've checked the docs of both vncserver and Xvnc and I haven't found any option resembling --user or something similar.
Is this even possible?
vnc
asked Jun 22 at 11:12
José Tomás Tocino
1256
I have a system I'm administering that is shared by many users, each having a separate VNC session. So far they've been launching their own VNC servers from SSH, but I'd rather be the only one able to spin up new servers.
In other words, I want the root user to be the only one with permission to run vncserver. The problem I'm facing is how to run a vnc session for a user while keeping the vncserver program unavailable for the users to run it.
I've checked the docs of both vncserver and Xvnc and I haven't found any option resembling --user or something similar.
Is this even possible?
vnc
asked Jun 22 at 11:12
José Tomás Tocino
1256
asked Jun 22 at 11:12
José Tomás Tocino
1256
asked Jun 22 at 11:12
José Tomás Tocino
1256
asked Jun 22 at 11:12
José Tomás Tocino
1256
1256
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
-1
down vote
1) In order to avoid certain users to your (*1) vncserver, the easiest way would be to change perms for vncserver binary to avoid others to run it and create a vncgrp group.
$ sudo groupadd vncgrp
$ sudo chown root:vncgrp /usr/bin/tightvncserver
$ sudo chmod 750 /usr/bin/tightvncserver
(*1) Mind you, they might download and run their vncserver, and this becomes a harder problem.
You might run into issues when upgrading the vnc package, or, depending the package manager configuration, it might restore original perms and anyone might be able to run vnc.
2) Running vncserver under some other user credentials can be achieved using sudo.
$ sudo -u someonelse /usr/bin/tightvncserver
answered Jun 22 at 11:29
Dolapevich
144
I think you've misunderstood my question completely. I don't have a separate group of users that shouldn't use vncserver. No user other than root should be able to runvncserver. The problem is that, in order to create a vnc session for a user, the command needs to be run by that user. That's the issue.
– José Tomás Tocino
Jun 22 at 14:49
Well, if you'd like to restrict just root to your your vncserver, just change the permissions accordinly. chmod 500 /usr/bin/tightvncserver Also, you might want to restrict your users hability to run binaries from their home directory. Create a new filesystem for /home and mount it as nodev,noexec, for examlple.
– Dolapevich
Jun 24 at 17:12
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
-1
down vote
1) In order to avoid certain users to your (*1) vncserver, the easiest way would be to change perms for vncserver binary to avoid others to run it and create a vncgrp group.
$ sudo groupadd vncgrp
$ sudo chown root:vncgrp /usr/bin/tightvncserver
$ sudo chmod 750 /usr/bin/tightvncserver
(*1) Mind you, they might download and run their vncserver, and this becomes a harder problem.
You might run into issues when upgrading the vnc package, or, depending the package manager configuration, it might restore original perms and anyone might be able to run vnc.
2) Running vncserver under some other user credentials can be achieved using sudo.
$ sudo -u someonelse /usr/bin/tightvncserver
answered Jun 22 at 11:29
Dolapevich
144
I think you've misunderstood my question completely. I don't have a separate group of users that shouldn't use vncserver. No user other than root should be able to runvncserver. The problem is that, in order to create a vnc session for a user, the command needs to be run by that user. That's the issue.
– José Tomás Tocino
Jun 22 at 14:49
Well, if you'd like to restrict just root to your your vncserver, just change the permissions accordinly. chmod 500 /usr/bin/tightvncserver Also, you might want to restrict your users hability to run binaries from their home directory. Create a new filesystem for /home and mount it as nodev,noexec, for examlple.
– Dolapevich
Jun 24 at 17:12
add a comment |Â
up vote
-1
down vote
1) In order to avoid certain users to your (*1) vncserver, the easiest way would be to change perms for vncserver binary to avoid others to run it and create a vncgrp group.
$ sudo groupadd vncgrp
$ sudo chown root:vncgrp /usr/bin/tightvncserver
$ sudo chmod 750 /usr/bin/tightvncserver
(*1) Mind you, they might download and run their vncserver, and this becomes a harder problem.
You might run into issues when upgrading the vnc package, or, depending the package manager configuration, it might restore original perms and anyone might be able to run vnc.
2) Running vncserver under some other user credentials can be achieved using sudo.
$ sudo -u someonelse /usr/bin/tightvncserver
answered Jun 22 at 11:29
Dolapevich
144
I think you've misunderstood my question completely. I don't have a separate group of users that shouldn't use vncserver. No user other than root should be able to runvncserver. The problem is that, in order to create a vnc session for a user, the command needs to be run by that user. That's the issue.
– José Tomás Tocino
Jun 22 at 14:49
Well, if you'd like to restrict just root to your your vncserver, just change the permissions accordinly. chmod 500 /usr/bin/tightvncserver Also, you might want to restrict your users hability to run binaries from their home directory. Create a new filesystem for /home and mount it as nodev,noexec, for examlple.
– Dolapevich
Jun 24 at 17:12
add a comment |Â
up vote
-1
down vote
up vote
-1
down vote
1) In order to avoid certain users to your (*1) vncserver, the easiest way would be to change perms for vncserver binary to avoid others to run it and create a vncgrp group.
$ sudo groupadd vncgrp
$ sudo chown root:vncgrp /usr/bin/tightvncserver
$ sudo chmod 750 /usr/bin/tightvncserver
(*1) Mind you, they might download and run their vncserver, and this becomes a harder problem.
You might run into issues when upgrading the vnc package, or, depending the package manager configuration, it might restore original perms and anyone might be able to run vnc.
2) Running vncserver under some other user credentials can be achieved using sudo.
$ sudo -u someonelse /usr/bin/tightvncserver
answered Jun 22 at 11:29
Dolapevich
144
1) In order to avoid certain users to your (*1) vncserver, the easiest way would be to change perms for vncserver binary to avoid others to run it and create a vncgrp group.
$ sudo groupadd vncgrp
$ sudo chown root:vncgrp /usr/bin/tightvncserver
$ sudo chmod 750 /usr/bin/tightvncserver
(*1) Mind you, they might download and run their vncserver, and this becomes a harder problem.
You might run into issues when upgrading the vnc package, or, depending the package manager configuration, it might restore original perms and anyone might be able to run vnc.
2) Running vncserver under some other user credentials can be achieved using sudo.
$ sudo -u someonelse /usr/bin/tightvncserver
answered Jun 22 at 11:29
Dolapevich
144
answered Jun 22 at 11:29
Dolapevich
144
answered Jun 22 at 11:29
Dolapevich
144
answered Jun 22 at 11:29
Dolapevich
144
144
I think you've misunderstood my question completely. I don't have a separate group of users that shouldn't use vncserver. No user other than root should be able to runvncserver. The problem is that, in order to create a vnc session for a user, the command needs to be run by that user. That's the issue.
– José Tomás Tocino
Jun 22 at 14:49
Well, if you'd like to restrict just root to your your vncserver, just change the permissions accordinly. chmod 500 /usr/bin/tightvncserver Also, you might want to restrict your users hability to run binaries from their home directory. Create a new filesystem for /home and mount it as nodev,noexec, for examlple.
– Dolapevich
Jun 24 at 17:12
add a comment |Â
I think you've misunderstood my question completely. I don't have a separate group of users that shouldn't use vncserver. No user other than root should be able to runvncserver. The problem is that, in order to create a vnc session for a user, the command needs to be run by that user. That's the issue.
– José Tomás Tocino
Jun 22 at 14:49
Well, if you'd like to restrict just root to your your vncserver, just change the permissions accordinly. chmod 500 /usr/bin/tightvncserver Also, you might want to restrict your users hability to run binaries from their home directory. Create a new filesystem for /home and mount it as nodev,noexec, for examlple.
– Dolapevich
Jun 24 at 17:12
I think you've misunderstood my question completely. I don't have a separate group of users that shouldn't use vncserver. No user other than root should be able to run
vncserver. The problem is that, in order to create a vnc session for a user, the command needs to be run by that user. That's the issue.– José Tomás Tocino
Jun 22 at 14:49
I think you've misunderstood my question completely. I don't have a separate group of users that shouldn't use vncserver. No user other than root should be able to run
vncserver. The problem is that, in order to create a vnc session for a user, the command needs to be run by that user. That's the issue.– José Tomás Tocino
Jun 22 at 14:49
Well, if you'd like to restrict just root to your your vncserver, just change the permissions accordinly. chmod 500 /usr/bin/tightvncserver Also, you might want to restrict your users hability to run binaries from their home directory. Create a new filesystem for /home and mount it as nodev,noexec, for examlple.
– Dolapevich
Jun 24 at 17:12
Well, if you'd like to restrict just root to your your vncserver, just change the permissions accordinly. chmod 500 /usr/bin/tightvncserver Also, you might want to restrict your users hability to run binaries from their home directory. Create a new filesystem for /home and mount it as nodev,noexec, for examlple.
– Dolapevich
Jun 24 at 17:12
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f451272%2froot-launching-vncserver-as-different-user%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
