Creating new users dedicated to processes

• Author: Solène
• Date: 12 November 2019
• Tags: openbsd

NIL## What this article is about ?

For some times I wanted to share how I manage my personal laptop and

systems. I got the habit to create a lot of users for just

everything for security reasons.

Creating a new users is fast, I can connect as this user using doas

or ssh -X if I need a X app and this allows preventing some code to

steal data from my main account.

Maybe I went this way too much, I have a dedicated irssi users which

is only for running irssi, same with mutt. I also have a user with

a stupid name and I can use it for testing X apps and I can wipe

the data in its home directory (to try fresh firefox profiles in

case of ports update for example).

How to proceed?

Creating a new user is as easy as this command (as root):

# useradd -m newuser

# echo "permit keepenv solene as newuser" >> /etc/doas.conf

Then, from my main user, I can do:

$ doas -u newuser 'mutt'

and it will run mutt as this user.

This way, I can easily manage lots of services from packages which

don't come with dedicated daemons users.

• *For this to be effective, it's important to have a chmod 700 on

your main user account, so others users can't browse your files.**

Graphicals software with dedicated users

It becomes more tricky for graphical users. There are two options there:

- allow another user to use your X session, it will have native performance but

in case of security issue in the software your whole X session is accessible

(recording keys, screnshots etc...)

- running the software through ssh -X will restricts X access to the software

but the rendering will be a bit sluggish and not suitable for some uses.

Example of using ssh -X compared to ssh -Y:

$ ssh -X foobar@localhost scrot

X Error of failed request: BadAccess (attempt to access private resource denied)

Major opcode of failed request: 104 (X_Bell)

Serial number of failed request: 6

Current serial number in output stream: 8

$ ssh -Y foobar@localhost scrot

(nothing output but it made a screenshot of the whole X area)

Real world example

On a server I have the following new users running:

- torrents

- idlerpg

- searx

- znc

- minetest

- quake server

- awk cron parsing http

they can have crontabs.

Maybe I use it too much, but it's fine to me.