To improve my system’s security, I’ve configured Steam to be run as a different Linux account. This guide is inspired in this thread.
First, we need a new user account to run Steam as. I’ve created the user sandbox with group sandbox.
# useradd sandbox # passwd sandbox Changing password for user sandbox. New password: Retype new password: passwd: all authentication tokens updated successfully. # usermod -a -G sandbox juan
Next, I give my user ‘juan‘ permissions in sudo to run commands as sandbox without password.
# vi /etc/sudoers.d/sandbox
juan ALL=(sandbox) NOPASSWD: ALL
# chmod 440 /etc/sudoers.d/sandbox
Then, we write a wrapper script to run steam as our sandbox user.
$ mkdir ~/bin $ vi ~/bin/steam
#!/bin/bash xhost SI:localuser:sandbox sudo -i -u sandbox /usr/bin/steam "$@"
$ chmod +x ~/bin/steam
If you don’t have
~/bin in your PATH, add this to
PATH="$HOME/bin:$PATH" export PATH
With this in place, we already can run Steam as sandbox with our wrapper, but a few things are missing, most importantly, the audio. For this, we are going to tell pulseaudio to create a unix socket, and the sandbox’s pulseaudio will run as a client through that socket.
First, I create a private folder in
/run to host the socket.
# vi /etc/tmpfiles.d/pulse-sandbox.conf
d /run/pulse-sandbox 0750 juan sandbox
# systemd-tmpfiles --create
Then, I configure pulseaudio to create the socket at startup:
$ cp /etc/pulse/default.pa /home/juan/.config/pulse/default.pa $ vi /home/juan/.config/pulse/default.pa
Add these line:
load-module module-native-protocol-unix auth-group=sandbox auth-group-enable=yes socket=/run/pulse-sandbox/pulse-sandbox.socket
In the sandbox user, we need this configuration:
$ vi /home/sandbox/.config/pulse/client.conf
default-server = unix:/run/pulse-sandbox/pulse-sandbox.socket
One more thing to configure is the desktop entry. We are going to override the global desktop file copying it to our user:
$ cp /usr/share/applications/steam.desktop /home/juan/.local/share/applications/steam.desktop
And we edit the file and substitute all the lines with Exec= to call our wrapper:
Exec=/home/juan/bin/steam %U Exec=/home/juan/bin/steam steam://store
…and so on.
Lastly, close your session so pulseaudio is able to pick the changes, and you should be able to run Steam as the user sandbox executing the icon in your desktop.
Hope it helps. If someone has any advice to improve this setup, please, tell me.