If I run these as an unprivileged user via xhost, they don’t really work well.
This is not a strong security boundary and in this case is basically doing the opposite of what you want. Giving access to an X session is basically giving the app full access to your user account. As an example they can inject keystrokes to open a terminal and do whatever they want. X also gives every program access to every other program.
Running as a different user will prevent direct access to other resources of your user account which may block some generic malware/spyware that tries to gobble up random files, but keyloggers and screen captures will just work as expected because they use X anyways.
As mentioned in other comments the best solution to this is Wayland. Under Wayland apps don’t have direct access to each other. These apps use “Portals” which are trusted permission prompts. So if you try to share the screen under Wayland you will get a trusted prompt that list all windows, and if you select one the app only gets access to that one selected window.
Although it is worth noting that most apps running under your user account will have pretty broad access. This can be mitigated by sandboxing tools like Flatpak but many available Flatpaks don’t provide much isolation. Carefully check the permissions if isolation is important to you.
And for the truly paranoid anything running under the same kernel is not strongly isolated. It is likely good enough for these partially trusted apps like Zoom or Teams (they are not likely to actually try to exploit your system, just suck up more data than you would like them to) but not strong enough for running completely untrusted programs that may be malicious. You would at least want a VM boundary (see Qubes OS) or ideally different physical hardware.
Another good option is running these in a browser. Browsers are designed from the ground up to run untrusted software safely. Google Meet works perfectly in the browser and Zoom has all of the core functionality available. (I don’t use MS Teams so can’t vouch for it.) This is my main approach to isolating proprietary software as it is reliable and I also value features such as cross-platform usage. Half of these programs just run Electron anyways so running in my main browser will use less resources and be faster than running 7 different Chromium processes.
So wayland fixes most of these. Is it possible to run GUI programs as another user just like in X with xhost though ? I’m asking not only from a security point, but as a practical one since I need to run the same program under different namespaces/users
I can’t way I have tried. But Wayland uses a socket, so many you can set file permissions to let other users access it?
I don’t know what your exact use case is but if you just want programs to have different “profiles” you can probably do something like setting $HOME to point somewhere else or otherwise configure their data directory.
[W]ould anyone have spent this much time and effort writing about how much they hated Unix if they didn’t secretly love it? I’ll leave that to the readers to judge, but in the end, it really doesn’t matter: If this book doesn’t kill Unix, nothing will.
I always have Terminal open in the background. Never know when you might need to enact a dramatic hacker scene. I just can’t believe what they charge for thise minitors that project text onto your face.
I find sometimes installing a bunch of different DEs can cause weird cross-issues, so I tend to just make VMs to try out new things. I have a bunch of them on an external drive like little specimen jars lol.
Also as a side note, I keep a VM that’s as close to my current setup as possible, so if I get the urge to try something weird I can do it there first and see if it breaks anything.
Alpine was the most interesting for me. It goes against the tendency of complicating the systems. I have to use Arch because everything can work on that distro.
Something a bit more out-of-the-box: I used to run 64-bit linux on a 2,1 Macbook Pro. Similar specs, including the same RAM ceiling. The isos are a bit out of date, but you can always install one and then upgrade from there. <a href="">https://mattgadient.com/linux-dvd-images-and-how-to-for-32-bit-efi-macs-late-2006-models/</a>
linux
Oldest
This magazine is from a federated server and may be incomplete. Browse more on the original instance.