-- Leo's gemini proxy
-- Connecting to perso.pw:1965...
-- Connected
-- Sending request
-- Meta line: 20 text/gemini;
Author: Solène
Date: 12 November 2019
Tags: openbsd
NIL## What this article is about ?
For some times I wanted to share how I manage my personal laptop and
systems. I got the habit to create a lot of users for just
everything for security reasons.
Creating a new users is fast, I can connect as this user using doas
or ssh -X if I need a X app and this allows preventing some code to
steal data from my main account.
Maybe I went this way too much, I have a dedicated irssi users which
is only for running irssi, same with mutt. I also have a user with
a stupid name and I can use it for testing X apps and I can wipe
the data in its home directory (to try fresh firefox profiles in
case of ports update for example).
Creating a new user is as easy as this command (as root):
Then, from my main user, I can do:
$ doas -u newuser 'mutt'
and it will run mutt as this user.
This way, I can easily manage lots of services from packages which
don't come with dedicated daemons users.
**For this to be effective, it's important to have a chmod 700 on
your main user account, so others users can't browse your files.**
It becomes more tricky for graphical users. There are two options there:
- allow another user to use your X session, it will have native performance but
in case of security issue in the software your whole X session is accessible
(recording keys, screnshots etc...)
- running the software through ssh -X will restricts X access to the software
but the rendering will be a bit sluggish and not suitable for some uses.
Example of using ssh -X compared to ssh -Y:
$ ssh -X foobar@localhost scrot
X Error of failed request: BadAccess (attempt to access private resource denied)
Major opcode of failed request: 104 (X_Bell)
Serial number of failed request: 6
Current serial number in output stream: 8
$ ssh -Y foobar@localhost scrot
(nothing output but it made a screenshot of the whole X area)
On a server I have the following new users running:
- torrents
- idlerpg
- searx
- znc
- minetest
- quake server
- awk cron parsing http
they can have crontabs.
Maybe I use it too much, but it's fine to me.
-- Response ended
-- Page fetched on Fri Apr 26 02:15:42 2024