Sandbox Steam running it under a different account

To improve my system’s security, I’ve configured Steam to be run as a different Linux account. This guide is inspired in this thread.

First, we need a new user account to run Steam as. I’ve created the user sandbox with group sandbox.

# useradd sandbox
# passwd sandbox

Changing password for user sandbox.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

# usermod -a -G sandbox juan

Next, I give my user ‘juan’ permissions in sudo to run commands as sandbox without password.

# vi /etc/sudoers.d/sandbox

juan ALL=(sandbox) NOPASSWD: ALL

# chmod 440 /etc/sudoers.d/sandbox

Then, we write a wrapper script to run steam as our sandbox user.

$ mkdir ~/bin
$ vi ~/bin/steam

#!/bin/bash
xhost SI:localuser:sandbox
sudo -i -u sandbox /usr/bin/steam "$@"

$ chmod +x ~/bin/steam

If you don’t have ~/bin in your PATH, add this to ~/.bash_profile:

PATH="$HOME/bin:$PATH"
export PATH

With this in place, we already can run Steam as sandbox with our wrapper, but a few things are missing, most importantly, the audio. For this, we are going to tell pulseaudio to create a unix socket, and the sandbox’s pulseaudio will run as a client through that socket.

First, I create a private folder in /run to host the socket.

# vi /etc/tmpfiles.d/pulse-sandbox.conf

d /run/pulse-sandbox 0750 juan sandbox

# systemd-tmpfiles --create

Then, I configure pulseaudio to create the socket at startup:

$ cp /etc/pulse/default.pa /home/juan/.config/pulse/default.pa
$ vi /home/juan/.config/pulse/default.pa

Add these line:

load-module module-native-protocol-unix auth-group=sandbox auth-group-enable=yes socket=/run/pulse-sandbox/pulse-sandbox.socket

In the sandbox user, we need this configuration:

$ vi /home/sandbox/.config/pulse/client.conf

default-server = unix:/run/pulse-sandbox/pulse-sandbox.socket

One more thing to configure is the desktop entry. We are going to override the global desktop file copying it to our user:

$ cp /usr/share/applications/steam.desktop /home/juan/.local/share/applications/steam.desktop

And we edit the file and substitute all the lines with Exec= to call our wrapper:

Exec=/home/juan/bin/steam %U

Exec=/home/juan/bin/steam steam://store

…and so on.

Lastly, close your session so pulseaudio is able to pick the changes, and you should be able to run Steam as the user sandbox executing the icon in your desktop.

Hope it helps. If someone has any advice to improve this setup, please, tell me.

Cheers!

See also

• Bulwark: block attacking IPs at the router level
• From Fail2ban to Reaction
• Export non-exportable private keys from Windows key store