 |
Title: Creating new users dedicated to processes |
|
Author: Solène |
|
Date: 12 November 2019 |
|
Tags: openbsd |
|
Description: |
|
|
|
## What this article is about ? |
|
|
|
For some times I wanted to share how I manage my personal laptop and |
|
systems. I got the habit to create a lot of users for just |
|
everything for security reasons. |
|
|
|
Creating a new users is fast, I can connect as this user using doas |
|
or ssh -X if I need a X app and this allows preventing some code to |
|
steal data from my main account. |
|
|
|
Maybe I went this way too much, I have a dedicated irssi users which |
|
is only for running irssi, same with mutt. I also have a user with |
|
a stupid name and I can use it for testing X apps and I can wipe |
|
the data in its home directory (to try fresh firefox profiles in |
|
case of ports update for example). |
|
|
|
|
|
## How to proceed? |
|
|
|
Creating a new user is as easy as this command (as root): |
|
|
|
# useradd -m newuser |
|
# echo "permit keepenv solene as newuser" >> /etc/doas.conf |
|
|
|
Then, from my main user, I can do: |
|
|
|
$ doas -u newuser 'mutt' |
|
|
|
and it will run mutt as this user. |
|
|
|
This way, I can easily manage lots of services from packages which |
|
don't come with dedicated daemons users. |
|
|
|
**For this to be effective, it's important to have a chmod 700 on |
|
your main user account, so others users can't browse your files.** |
|
|
|
|
|
## Graphicals software with dedicated users |
|
|
|
It becomes more tricky for graphical users. There are two options |
|
there: |
|
|
|
- allow another user to use your X session, it will have native |
|
performance but |
|
in case of security issue in the software your whole X session is |
|
accessible |
|
(recording keys, screnshots etc...) |
|
- running the software through ssh -X will restricts X access to the |
|
software |
|
but the rendering will be a bit sluggish and not suitable for some |
|
uses. |
|
|
|
Example of using ssh -X compared to ssh -Y: |
|
|
|
$ ssh -X foobar@localhost scrot |
|
X Error of failed request: BadAccess (attempt to access private |
|
resource denied) |
|
Major opcode of failed request: 104 (X_Bell) |
|
Serial number of failed request: 6 |
|
Current serial number in output stream: 8 |
|
|
|
$ ssh -Y foobar@localhost scrot |
|
(nothing output but it made a screenshot of the whole X area) |
|
|
|
|
|
## Real world example |
|
|
|
On a server I have the following new users running: |
|
|
|
- torrents |
|
- idlerpg |
|
- searx |
|
- znc |
|
- minetest |
|
- quake server |
|
- awk cron parsing http |
|
|
|
they can have crontabs. |
|
|
|
Maybe I use it too much, but it's fine to me. |
