Title: Creating new users dedicated to processes Author: Solène Date: 12 November 2019 Tags: openbsd Description: ## What this article is about ? For some times I wanted to share how I manage my personal laptop and systems. I got the habit to create a lot of users for just everything for security reasons. Creating a new users is fast, I can connect as this user using doas or ssh -X if I need a X app and this allows preventing some code to steal data from my main account. Maybe I went this way too much, I have a dedicated irssi users which is only for running irssi, same with mutt. I also have a user with a stupid name and I can use it for testing X apps and I can wipe the data in its home directory (to try fresh firefox profiles in case of ports update for example). ## How to proceed? Creating a new user is as easy as this command (as root): # useradd -m newuser # echo "permit keepenv solene as newuser" >> /etc/doas.conf Then, from my main user, I can do: $ doas -u newuser 'mutt' and it will run mutt as this user. This way, I can easily manage lots of services from packages which don't come with dedicated daemons users. **For this to be effective, it's important to have a chmod 700 on your main user account, so others users can't browse your files.** ## Graphicals software with dedicated users It becomes more tricky for graphical users. There are two options there: - allow another user to use your X session, it will have native performance but in case of security issue in the software your whole X session is accessible (recording keys, screnshots etc...) - running the software through ssh -X will restricts X access to the software but the rendering will be a bit sluggish and not suitable for some uses. Example of using ssh -X compared to ssh -Y: $ ssh -X foobar@localhost scrot X Error of failed request: BadAccess (attempt to access private resource denied) Major opcode of failed request: 104 (X_Bell) Serial number of failed request: 6 Current serial number in output stream: 8 $ ssh -Y foobar@localhost scrot (nothing output but it made a screenshot of the whole X area) ## Real world example On a server I have the following new users running: - torrents - idlerpg - searx - znc - minetest - quake server - awk cron parsing http they can have crontabs. Maybe I use it too much, but it's fine to me.