[talk] Using separate users for different programs

Okan Demirmen okan at demirmen.com
Fri Feb 23 10:05:11 EST 2018

On Thu, Feb 22, 2018 at 3:17 PM, Thomas Levine <_ at thomaslevine.com> wrote:
> Not trusting myself to verify the correctness and authenticity of stuff
> that I download from the internet, I have been running some programs as
> separate users with doas.
> For example, I have an "r" user for running R, and I have configured
> things so that when I type "R" I execute R as the "r" user rather than
> my normal "tlevine" user. This way, I can install lots and lots of
> R packages and not worry that one of them might accidentally delete
> something important belonging to tlevine. I do the same thing for a Perl
> program with lots of dependencies. And of course I do something like
> this for web applications, but with Apache. I think this makes sense for
> anything complicated or anything that you don't trust.
> Are there already tools for creating dedicated users for particular
> applications? It is very easy to edit doas.conf and write wrappers,
> but I would wrap far more programs this way if it were easy.
> I know of many systems that create separate environments in separate
> directories, such as Nix and pretty much every package manager specific
> to a particular programming language (npm, &c.) but none that make
> separate users.

You're not alone; I used to use systrace until it because unusable
(and now gone). I have a couple of wrappers that just work for me.
Basically for local X apps, import the relevant xauth bits, set
DISPLAY and if needed, access to drm. Other stuff is of course easier
and dependent on what the software needs. I don't know of tools that
do this, because I do thing each app is different.

Yeah, privilege separation is pretty much the well known way to go
now; heck, not only traditional "services/servers", even file(1) is
separated because, well, it acts on dangerous stuff. Similarly,
fetching distfiles in ports uses a separate user, as does building,
packaging, etc, right along with building base src even.

but watch this space....

More information about the talk mailing list