Sooo i made this program that uses both chromium but also is a rest server. (they need to be together for this program)

Soo the rest server requieres to be run with sudo

But the chromium Browser must not. It says must provide --no sandbox (to run as sudo)

so then i added --no sandbox

and it works like i wanted it.

However every application seems to be glitching sometimes (only ui) but no lag etc.

How can i stop it from glitching :0 i mean it does work though

Never tried it but the limits is there to prevent bugs from getting root so circumventing that is probably not a good idea.

Could you run them as separate processes that communicate using pipes or some other interface?

Does the rest server really need sudo?

None of that should actually run as root. If your server really needs privilegues, start it as root and make it drop its privileges after it has done whatever it needed root for. Also use namespaces+cgroups+chroot, jails for additional isolation.

At least start the broswer under an unprivileged account. Sudo can start stuff under any user account - it doesn't have to be root.

Your server doesn't need root, it needs a low port. Get that port and then switch to a daemon user. There's actually a whole lot of steps to writing daemons such as dropping I/O, fork-exit to become an orphan under init etc. I don't know the exact procedure but there are pretty good guides out there.

You probably shouldn't be running anything that interacts with xorg as root, there are a shitton of privilege escalations associated with it. On the other hand, because your UI is already web tech and your server already needs HTTP you can separate the logic from the UI with minimal effort by basically launching a regular chrome instance and pointing it at some unix socket exposed by your daemon which can then load the UI.

@lbfalvy is right, though. You don’t need root permissions.

@jonas-w hmm i will try getting it to run without sudo then but i think it didnt allow the rest api to listen then

@Root why wont you give me permisssions

@joewilliams007 … so many reasons.

@joewilliams007 You need root to listen on a port below 1024, so both 80 and 443. However, you can't lose a port by accident so you should start listening and then drop root privileges by switching users.

@lbfalvy okay thx!

I think I've screeched and violently screamed for nearly 5 minutes, died from respiratory distress and then my neighbor broke my door and resuscitated me just to deliver a well deserved kick in the groin.

If you *ever* come to a point where you're using root in either an docker image or a live system, stop. Really stop.

The beauty of Linux lies in its permissions .

What @lbfalvy said is "half true".

Since kernel 2.2 (a loooooooooooooooonnnnnnngggg time ago)… Linux has capabilities.

Capabilities exist e.g. even in Docker, see.:

https://docs.docker.com/engine/...

NET_BIND_SERVICE is a default capability allowing any service to use ports less than 1024.

Never go for sudo or root - give proper user and group permissions and if necessary, use setcap -/ getcap.

Many distros do this by default though.

If you don't know what the fsck is happening, why this command doesn't work, where a permission is missing - strace .

Yes, it spits out a fuckton of shit - but it is (especially if you know C) extremely helpful.

Never use sudo.

Really never.

sudo is a big security hole and the easy way... To make big mistakes.

@IntrusionCM thank you i will change the port tomorrow.

I did thought to myself that what i was doing was a security risk but didnt know how to solve it. So thatswhy i was asking :)