OS: RPiOS full booting to command line without auto loginn
Aim: a reliable and resonably secure way to run startx /path/to/program at boot as an unprivileged user (i.e. not as root).
Whether from cron, rc.local or systemd trying to run startx /path/to/program as a user other than root always fails with a permission denied error on the tty. I have a few workarounds but none are ideal:
- Run as root and hang the consequences.
- Run as root and have the program drop its privileges. Not possible if you don't have the program source and the necessary knowledge to modify it. Potential complications with thing like ~, $HOME, $PATH, etc
- Autologin to a non-root user's command line then run it from their .bashrc. Obivous problem there is .bashrc runs at every login whether local or remote, GUI or command line. Anyone with physial access running has access to a logged in commandline just by connecting a keyboard. With passwordless sudo in the default OS configuration.
- Autologin to a non-root user's desktop and use autostart. Anyone with physial access running has access to a logged in desktop just by connecting a keyboard. With passwordless sudo in the default OS configuration.
- Install the xserver-xorg-legacy package and configure it so anybody can start the X server. The downside here is that anybody can start the X server on the console as long as it isn't running and they have login credential to the box.
But I'd like to know if there is a more secure and more reliable method.
Before anyone suggests a systemd service wantedby and after graphical.target, that won't help. You'll hit a different set of X security issues and potentially still have a logged in desktop running.