💾 Archived View for perso.pw › blog › articles › dedicated-users-processes.gmi captured on 2024-02-05 at 10:15:22. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-05-24)
-=-=-=-=-=-=-
For some times I wanted to share how I manage my personal laptop and
systems. I got the habit to create a lot of users for just
everything for security reasons.
Creating a new users is fast, I can connect as this user using doas
or ssh -X if I need a X app and this allows preventing some code to
steal data from my main account.
Maybe I went this way too much, I have a dedicated irssi users which
is only for running irssi, same with mutt. I also have a user with
a stupid name and I can use it for testing X apps and I can wipe
the data in its home directory (to try fresh firefox profiles in
case of ports update for example).
Creating a new user is as easy as this command (as root):
# useradd -m newuser
# echo "permit keepenv solene as newuser" >> /etc/doas.conf
Then, from my main user, I can do:
$ doas -u newuser 'mutt'
and it will run mutt as this user.
This way, I can easily manage lots of services from packages which
don't come with dedicated daemons users.
your main user account, so others users can't browse your files.**
It becomes more tricky for graphical users. There are two options there:
- allow another user to use your X session, it will have native performance but
in case of security issue in the software your whole X session is accessible
(recording keys, screnshots etc...)
- running the software through ssh -X will restricts X access to the software
but the rendering will be a bit sluggish and not suitable for some uses.
Example of using ssh -X compared to ssh -Y:
$ ssh -X foobar@localhost scrot
X Error of failed request: BadAccess (attempt to access private resource denied)
Major opcode of failed request: 104 (X_Bell)
Serial number of failed request: 6
Current serial number in output stream: 8
$ ssh -Y foobar@localhost scrot
(nothing output but it made a screenshot of the whole X area)
On a server I have the following new users running:
- torrents
- idlerpg
- searx
- znc
- minetest
- quake server
- awk cron parsing http
they can have crontabs.
Maybe I use it too much, but it's fine to me.