Title: Creating new users dedicated to processes | |
Author: Solène | |
Date: 12 November 2019 | |
Tags: openbsd | |
Description: | |
## What this article is about ? | |
For some times I wanted to share how I manage my personal laptop and | |
systems. I got the habit to create a lot of users for just | |
everything for security reasons. | |
Creating a new users is fast, I can connect as this user using doas | |
or ssh -X if I need a X app and this allows preventing some code to | |
steal data from my main account. | |
Maybe I went this way too much, I have a dedicated irssi users which | |
is only for running irssi, same with mutt. I also have a user with | |
a stupid name and I can use it for testing X apps and I can wipe | |
the data in its home directory (to try fresh firefox profiles in | |
case of ports update for example). | |
## How to proceed? | |
Creating a new user is as easy as this command (as root): | |
# useradd -m newuser | |
# echo "permit keepenv solene as newuser" >> /etc/doas.conf | |
Then, from my main user, I can do: | |
$ doas -u newuser 'mutt' | |
and it will run mutt as this user. | |
This way, I can easily manage lots of services from packages which | |
don't come with dedicated daemons users. | |
**For this to be effective, it's important to have a chmod 700 on | |
your main user account, so others users can't browse your files.** | |
## Graphicals software with dedicated users | |
It becomes more tricky for graphical users. There are two options | |
there: | |
- allow another user to use your X session, it will have native | |
performance but | |
in case of security issue in the software your whole X session is | |
accessible | |
(recording keys, screnshots etc...) | |
- running the software through ssh -X will restricts X access to the | |
software | |
but the rendering will be a bit sluggish and not suitable for some | |
uses. | |
Example of using ssh -X compared to ssh -Y: | |
$ ssh -X foobar@localhost scrot | |
X Error of failed request: BadAccess (attempt to access private | |
resource denied) | |
Major opcode of failed request: 104 (X_Bell) | |
Serial number of failed request: 6 | |
Current serial number in output stream: 8 | |
$ ssh -Y foobar@localhost scrot | |
(nothing output but it made a screenshot of the whole X area) | |
## Real world example | |
On a server I have the following new users running: | |
- torrents | |
- idlerpg | |
- searx | |
- znc | |
- minetest | |
- quake server | |
- awk cron parsing http | |
they can have crontabs. | |
Maybe I use it too much, but it's fine to me. |