# Android-like per-package privileges with normal linux privs

## minkanjin

What I want to do is to set up a privilege structure that mimics Androids per-app privileges. So I would assign a username (or system username rather) to a package. That username would then be added to the groups that the package needs access to, such as video,audio,etc. Then finally the real user gets added to the packages primary group, and the setuid flag is used to change the real user to the package user.

The hope is that this can add a bit of sandboxing without adding another layer to access control..

Is this idea at all feasible, or should I rather wait for something like flatpack?

If it is feasible, is there a tool/script to help set it up?

Is there a possibility that it could be added to portage (perhaps as a plugin that executes after everything else)?

----------

## Roman_Gruber

Are you asking about the group principle in linux?

```
https://wiki.gentoo.org/wiki/Knowledge_Base:Adding_a_user_to_a_group
```

--

I'm still not sure if you ask for an android box or for a gentoo box in the first place.

--

No idea waht are you after. When you do not trust your user, just remove the rights. Or use a kiosk distro.

When you want to grand limited rights for certain tasks, than use the group principle, which already works for certain tasks.

The ordinary user has usually no rights. I have to use a lot the superuser to get my things done. 

--

----------

## Hu

Android uses a perversion of the standard Unix model to achieve a fairly useful feature; OP wants to have that same feature on desktop Linux.  Each Android app runs as a separate user ID, so apps are incapable of using ptrace on each other, reading each others' settings without the help of a broker (which typically asks the user to confirm the operation), etc.  This is useful if you want to run a program that you do not trust fully.  Under the classic permissions model, a rogue program can delete everything in the user's home directory (whether maliciously or due to sloppy coding).  Under the mobile permission model, the application can wreck its own settings, but not touch settings of unrelated programs.

----------

## Roman_Gruber

Do we not use virtual machines for such untrusted software to shield it?

----------

## Hu

Not everyone has the hardware to run virtual machines well.  In some cases, a virtual machine provides too much isolation, making it inconvenient to use the program.

----------

## Ant P.

Use firejail. It comes with premade sandbox rules for many common desktop apps.

----------

## minkanjin

Seems setuid only elevates privileges. For this to work, it needs to drop them too. So something else it will have to be.

I'll check out firejail

----------

