[postcd]

Since i have some strange Kodi installation that requires sudo to launch Kodi, i was thinking to backup Kodi config and try to reinstall it under pi user possibly. (my pi user is not in sudoers)

1) Find Kodi config directories: find /home /root -maxdepth 2 -type d -iname ".kodi*" -exec du -h --max-depth=0 {} \;
(i do not know which one is the one i am using... the /usr/bin/kodi has root:root rights)

2) Stop Kodi gracefully or kill all pids belonging to kodi: ps aux|grep kodi;kill -9 pidhere

3) Create backup of each Kodi config directory: ext=2 && for kodidatadir in $(find /home /root -maxdepth 2 -type d -name .kodi);do cp -rpn $kodidatadir $kodidatadir$ext;done

4) remove kodi: sudo apt purge kodi;sudo apt autoremove

5) assign pi to sudo group (i have it intentionally disabled), install kodi under pi user and then remove pi from sudo: sudo addgroup pi sudo;sudo -u pi sudo apt install kodi -y;sudo delgroup pi sudo;

but it still fails:

pi@raspberrypi:/home/otheruser $ kodi --standalone
open /dev/fb0: No such file or directory
XDG_RUNTIME_DIR (/run/user/1001) is not owned by us (uid 1000), but by uid 1001! (This could e g happen if you try to connect to a non-root PulseAudio as a root user, over the native protocol. Don't do that.)
XDG_RUNTIME_DIR (/run/user/1001) is not owned by us (uid 1000), but by uid 1001! (This could e g happen if you try to connect to a non-root PulseAudio as a root user, over the native protocol. Don't do that.)
XDG_RUNTIME_DIR (/run/user/1001) is not owned by us (uid 1000), but by uid 1001! (This could e g happen if you try to connect to a non-root PulseAudio as a root user, over the native protocol. Don't do that.)
XDG_RUNTIME_DIR (/run/user/1001) is not owned by us (uid 1000), but by uid 1001! (This could e g happen if you try to connect to a non-root PulseAudio as a root user, over the native protocol. Don't do that.)
Cannot connect to server socket err = No such file or directory
Cannot connect to server request channel
jack server is not running or cannot be started
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock
JackShmReadWritePtr::~JackShmReadWritePtr - Init not done for -1, skipping unlock
XDG_RUNTIME_DIR (/run/user/1001) is not owned by us (uid 1000), but by uid 1001! (This could e g happen if you try to connect to a non-root PulseAudio as a root user, over the native protocol. Don't do that.)
Sorry, user pi is not allowed to execute '/home/pi/.kodi/addons/service.tvh.manager/resources/lib/shutdown.sh 0 0' as root on raspberrypi.
^CSegmentation fault
 

i do not want Kodi to have root access to the computer (when running it with sudo, then i can browse all files even under different accounts)

[rascas]

I already explained it to you in the other post, you don't need to run Kodi with sudo nor it is advisable. It is just that the user which will run Kodi needs to be in the "sudo" group if you launch it through a Desktop Environment. If you launch it through a Virtual Terminal, (CTRL+ALT+F2 for example) the user doesn't need to be in the "sudo" group, I already explained why also.
Note that the user which will run Kodi, must be part of other groups, otherwise it might not even start. Check this: https://www.raspberrypi.org/forums/viewt...6&t=251645

PS: You have a custom script that needs root permissions to run, check that also.

[postcd]

@rascas
thanks for valuable info.

It is just that the user which will run Kodi needs to be in the "sudo" group if you launch it through a Desktop Environment.

I am in default Raspbian 10 desktop environment, but i am launching Kodi remotelly via SSH, so here the pi user have to be in sudo (have root privileges) and there is no workaround? As shown above, it fails (in both cases: "pi" not member of sudo group and "pi" member of sudo group). The first case command output is above and next case output (pi user being part of sudo group) is below:

failed to export dumb buffer: Permission denied
Failed to create scanout resource
failed to export dumb buffer: Permission denied
Failed to create scanout resource
terminate called after throwing an instance of 'std::runtime_error'
  what():  eglSwapBuffers failed
Aborted (core dumped)
find: '/home/pi/.dbus': Permission denied
find: '/home/pi/ext/home': Permission denied
Crash report available at /home/pi/kodi_crashlog-20200330_181910.log[E] Invalid arguments ' '

(Note that i do not want pi to be in sudo, since pi is a "guest" kind of user for me and i want to limit privileges.).

So in short. My question remains, i do not know how to run Kodi without sudo and without "pi" user having sudo privileges. I prefer if i have the ability of a Raspbian desktop. One can also start Kodi at boot, but i do not want to try it because i do not want failing boot: sudo nano /etc/xdg/lxsession/LXDE-pi/autostart
add line "@kodi"
reboot
If my priority (i think very legitimate) is kodi launched without sudo (root privilege) and under user without sudo group, then what is my option please?

> user which will run Kodi, must be part of other groups

i verified this and the "pi" is part of all mentioned groups except tty group: pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi

i hope you reply and thank you for your patience

[rascas]

If you don't want the user to be part of "sudo" group and have a Desktop Environment running at same time, the only option that comes to my mind is for that user to own the command /usr/bin/chvt (it is owned by root by default). Then remove the "sudo" in the chvt lines in /usr/bin/kodi script. Note that changes to chvt permissions and the "kodi" script will be overwritten when there is an update to the respective packages.
Note also that I never tested this, but it should work.

[postcd]

$ grep sudo /usr/bin/kodi

    sudo killall fbi >/dev/null 2>&1
    sudo service cec stop >/dev/null 2>&1
  vt=$(sudo /bin/fgconsole)
  sudo /bin/chvt 8
    sudo service cec start >/dev/null 2>&1
  sudo /bin/chvt $vt

$ sudo chown pi:pi /bin/chvt
$ sudo sed -i "s|sudo /bin/chvt|/bin/chvt|g" /usr/bin/kodi
$ sudo sed -i "s|sudo /bin/fgconsole|/bin/fgconsole|g" /usr/bin/kodi
$ kodi --standalone
-> fail (errors shown above)
$ /usr/bin/kodi
-> fail as above
no matter if "pi" had sudo group membership, it fails with and without sudo group membership.

I am currently running kodi under "su" command "sudo kodi &". It works, but while Kodi is running, the Kodi users are likely able to browse (and maybe exploit?) whole filesystem.

If you don't want the user to be part of "sudo" group and have a Desktop Environment running at same time

i think i prefer security, so i would like to disable Raspbian desktop and run Kodi the way it and the user running it does not have root privileges. How can i do it please? Is it the tutorial "[Guide] Kodi on Raspbian Buster" section "AUTO-STARTING KODI AT BOOT:"
That way it should launch under "pi" without sudo group?

UPDATE: yes, that worked.
1) go to rc-gui on Raspbian desktop or "raspi-config" command in the terminal, and choose the option to boot to CLI/console
2) paste following into terminal and hit Enter:

sudo tee -a /lib/systemd/system/kodi.service <<_EOF_
[Unit]
Description = Kodi Media Center
After = remote-fs.target network-online.target
Wants = network-online.target

[Service]
User = pi
Group = pi
Type = simple
ExecStart = /usr/bin/kodi-standalone
Restart = on-abort
RestartSec = 5

[Install]
WantedBy = multi-user.target
_EOF_

3) sudo systemctl enable kodi.service
4) sudo reboot

[rascas]

i think i prefer security, so i would like to disable Raspbian desktop and run Kodi the way it and the user running it does not have root privileges. How can i do it please? Is it the tutorial "[Guide] Kodi on Raspbian Buster" section "AUTO-STARTING KODI AT BOOT:"
That way it should launch under "pi" without sudo group? 

If you go with Option 1, yes, you don't need user pi to belong in sudo group.