Title: Creating new users dedicated to processes
       Author: Solène
       Date: 12 November 2019
       Tags: openbsd
       Description: 
       
       ## What this article is about ?
       
       For some times I wanted to share how I manage my personal laptop and
       systems. I got the habit to create a lot of users for just
       everything for security reasons.
       
       Creating a new users is fast, I can connect as this user using doas
       or ssh -X if I need a X app and this allows preventing some code to
       steal data from my main account.
       
       Maybe I went this way too much, I have a dedicated irssi users which
       is only for running irssi, same with mutt. I also have a user with
       a stupid name and I can use it for testing X apps and I can wipe
       the data in its home directory (to try fresh firefox profiles in
       case of ports update for example).
       
       
       ## How to proceed?
       
       Creating a new user is as easy as this command (as root):
       
           # useradd -m newuser
           # echo "permit keepenv solene as newuser" >> /etc/doas.conf
       
       Then, from my main user, I can do:
       
           $ doas -u newuser 'mutt'
       
       and it will run mutt as this user.
       
       This way, I can easily manage lots of services from packages which
       don't come with dedicated daemons users.
       
       **For this to be effective, it's important to have a chmod 700 on
       your main user account, so others users can't browse your files.**
       
       
       ## Graphicals software with dedicated users
       
       It becomes more tricky for graphical users. There are two options
       there:
       
       - allow another user to use your X session, it will have native
       performance but
         in case of security issue in the software your whole X session is
       accessible
         (recording keys, screnshots etc...)
       - running the software through ssh -X will restricts X access to the
       software
         but the rendering will be a bit sluggish and not suitable for some
       uses.
       
       Example of using ssh -X compared to ssh -Y:
       
           $ ssh -X foobar@localhost scrot
           X Error of failed request:  BadAccess (attempt to access private
       resource denied)
             Major opcode of failed request:  104 (X_Bell)
             Serial number of failed request:  6
             Current serial number in output stream:  8
       
           $ ssh -Y foobar@localhost scrot
           (nothing output but it made a screenshot of the whole X area)
       
       
       ## Real world example
       
       On a server I have the following new users running:
       
       - torrents
       - idlerpg
       - searx
       - znc
       - minetest
       - quake server
       - awk cron parsing http
       
       they can have crontabs.
       
       Maybe I use it too much, but it's fine to me.