Program isolation with doas

Through the doas(1) utility we can easily execute a program as a user solely responsible for running that program. This can help isolate a program from the rest of the system, and reduce the risk to the main account that is using the program.

step 1: add user

The first step is to create a user. We will create a _weechat user that's responsible for running the weechat program:

# Add user
# This command targets FreeBSD
pw useradd \
   -n _weechat \
   -d /home/_weechat \
   -M u=rwx,g=rx,o= \
   -s /sbin/nologin \
   -m \
   -c "Runs the weechat program"

step 2: doas.conf

The second step is to allow the main account (which we will call main) execute the weechat program as the _weechat user. This can be done by updating doas.conf(5):

# Permit the 'main' user to run weechat as '_weechat'
permit nopass main as _weechat cmd /usr/local/bin/weechat args

step 3: launch program

The third and final step is to login with the main account, and execute weechat as the '_weechat' user:

# Launch weechat as the _weechat user
$ doas -u _weechat /usr/local/bin/weechat