Program isolation with doas

This post presents a few simple steps that can effectively isolate the execution of a program from your "main" user account by using the doas(1) utility and a separate user account.

The doas(1) utility from the OpenBSD project allows one user to execute a command as another user. There are multiple doas(1) ports to choose from on platforms other than OpenBSD.

useradd

The first step is to create a user whose sole responsibility will be the execution of a specific program. For the purposes of this post we will choose the weechat program, and we will create a user with the weechat username:

# FreeBSD: add user
root@localhost# pw useradd \
  -n weechat \
  -d /home/weechat \
  -M 750 \
  -s /sbin/nologin \
  -m \
  -c "Runs the weechat program"

# OpenBSD: add user
root@localhost# useradd \
  -d /home/weechat \
  -s /sbin/nologin \
  -m \
  -v \
  weechat
root@localhost# chmod 750 /home/weechat

doas.conf

The second step is to permit the main user account to execute the weechat program as the weechat user. This can be done by updating doas.conf(5). On OpenBSD - doas.conf(5) can be found at /etc/doas.conf and on FreeBSD it can be found at /usr/local/etc/doas.conf:

# Permit the 'main' user to run the 'weechat' program as the 'weechat' user
# Do not require a password
permit nopass main as weechat cmd /usr/local/bin/weechat args

doas

The third and final step is to login with the main user account, and execute weechat as the weechat user via the doas(1) utility:

# Launch weechat as the 'weechat' user
main@localhost$ doas -u weechat /usr/local/bin/weechat