Sandbox Steam running it under a different account

To improve my system’s security, I’ve configured Steam to be run as a different Linux account. This guide is inspired in this thread.

First, we need a new user account to run Steam as. I’ve created the user sandbox with group sandbox.

# useradd sandbox
# passwd sandbox

Changing password for user sandbox.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# usermod -a -G sandbox juan

Next, I give my user ‘juan‘ permissions in sudo to run commands as sandbox without password.

# vi /etc/sudoers.d/sandbox
juan ALL=(sandbox) NOPASSWD: ALL
# chmod 440 /etc/sudoers.d/sandbox

Then, we write a wrapper script to run steam as our sandbox user.

$ mkdir ~/bin
$ vi ~/bin/steam
#!/bin/bash
xhost SI:localuser:sandbox
sudo -i -u sandbox /usr/bin/steam "$@"
$ chmod +x ~/bin/steam

If you don’t have ~/bin in your PATH, add this to ~/.bash_profile:

PATH="$HOME/bin:$PATH"
export PATH

With this in place, we already can run Steam as sandbox with our wrapper, but a few things are missing, most importantly, the audio. For this, we are going to tell pulseaudio to create a unix socket, and the sandbox’s pulseaudio will run as a client through that socket.

First, I create a private folder in /run to host the socket.

# vi /etc/tmpfiles.d/pulse-sandbox.conf
d /run/pulse-sandbox 0750 juan sandbox
# systemd-tmpfiles --create

Then, I configure pulseaudio to create the socket at startup:

$ cp /etc/pulse/default.pa /home/juan/.config/pulse/default.pa
$ vi /home/juan/.config/pulse/default.pa

Add these line:

load-module module-native-protocol-unix auth-group=sandbox auth-group-enable=yes socket=/run/pulse-sandbox/pulse-sandbox.socket

In the sandbox user, we need this configuration:

$ vi /home/sandbox/.config/pulse/client.conf
default-server = unix:/run/pulse-sandbox/pulse-sandbox.socket

One more thing to configure is the desktop entry. We are going to override the global desktop file copying it to our user:

$ cp /usr/share/applications/steam.desktop /home/juan/.local/share/applications/steam.desktop

And we edit the file and substitute all the lines with Exec= to call our wrapper:

Exec=/home/juan/bin/steam %U

Exec=/home/juan/bin/steam steam://store

…and so on.

Lastly, close your session so pulseaudio is able to pick the changes, and you should be able to run Steam as the user sandbox executing the icon in your desktop.

Hope it helps. If someone has any advice to improve this setup, please, tell me.

Cheers!

Advertisements

2 thoughts on “Sandbox Steam running it under a different account”

  1. I do not have any advice on how to improve your set-up but i just wanted to mention that some of us use SELinux to achieve some degree of containment. It is a trade-off for sure but in the end i suspect that my SELinux policy config for Steam might be a bit more friendly (although admittedly it might provide less security where it matters a lot, namely access to your content) My steam can “manage” generic user home content but it cannot for example access specific configuration data like gpg, ssh, password-store, bash_history etc etc. A different approach with different trade-offs

    https://github.com/DefenSec/dssp-contrib/blob/master/applications/steam.cil

    Like

  2. Hi, thank you for writing this howto. It worked like a charm for me. I have one little tip: instead of copying the system default.pa file to my home, I started my own with .include /etc/pulse/default.pa — that way I’ll still get automatic updates when upgrading pulseaudio.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s