Is it safe to run a GUI program as another user?

I need to run a program (libreoffice) as another user. I noticed that the program started in the background when invoked as kdesudo -u otheruser libreoffice, possibly to avoid social engineering attacks.

(in the below text, "logged-in user" refers to me, not "otheruser")

• Is it safe to run an untrusted program in this way?
• Does it affect the current logged-in user? (file and process access in the context of the logged-in user)

Denial of Service attacks by fork-bombs, using excess CPU, etc. are excluded since those can occur too if I login directly on otheruser. For clarity, I'm looking for differences between running programs in directly when logged in as otheruser and running programs using kdesudo, gksudo and sudo.

Solution 1:

For security purposes, assume that programs that have access to your X display can do whatever they want, including snooping on your clipboard, sending fake keystrokes to another application and other non-niceties. X just wasn't designed with isolation in mind.

For the curious or paranoid, read Secure Linux Desktop and Passive and active attacks via X11. Is Wayland any better?. For the extremely paranoid, check out Qubes, which is based on virtualized Linux instances, each running its own X server.

If you're concerned about running untrusted X applications, you must run them on a separate X display, in addition to running them as a different user (or better, in a different (virtual) machine). You can run a separate X server and display it in a nested X window in various ways: through a virtual machine (VirtualBox, VMware, …), with a remote X server such as VNC which you just happen to connect to locally, or with a special-purpose X-in-X program such as Xnest or Xephyr.

If you're concerned about social engineering attacks, that's a different problem. Social engineering targets the user; the only way to avoid them is to leave the user out.