[talk] Using separate users for different programs

Thomas Levine _ at thomaslevine.com
Thu Feb 22 15:17:00 EST 2018

Not trusting myself to verify the correctness and authenticity of stuff
that I download from the internet, I have been running some programs as
separate users with doas.

For example, I have an "r" user for running R, and I have configured
things so that when I type "R" I execute R as the "r" user rather than
my normal "tlevine" user. This way, I can install lots and lots of
R packages and not worry that one of them might accidentally delete
something important belonging to tlevine. I do the same thing for a Perl
program with lots of dependencies. And of course I do something like
this for web applications, but with Apache. I think this makes sense for
anything complicated or anything that you don't trust.

Are there already tools for creating dedicated users for particular
applications? It is very easy to edit doas.conf and write wrappers,
but I would wrap far more programs this way if it were easy.

I know of many systems that create separate environments in separate
directories, such as Nix and pretty much every package manager specific
to a particular programming language (npm, &c.) but none that make
separate users.

More information about the talk mailing list