Program isolation with doas

This post presents a few simple steps that can effectively isolate the execution of a program from your "main" user account by using the doas(1) utility and a separate user account.

The doas(1) utility from the OpenBSD project allows one user to execute a command as another user. There are multiple doas(1) ports to choose from on platforms other than OpenBSD.

useradd

The first step is to create a user whose sole responsibility will be the execution of a specific program. For the purposes of this post we will choose the weechat program, and we will create a user with the weechat username:

##
# FreeBSD: add user
root@localhost# pw useradd \
  -n weechat \
  -d /home/weechat \
  -M u=rwx,g=rx,o= \
  -s /sbin/nologin \
  -m \
  -c "Runs the weechat program"

##
# OpenBSD: add user
root@localhost# useradd \
  -d /home/weechat \
  -s /sbin/nologin \
  -m \
  -v \
  weechat
root@localhost# chmod u=rwx,g=rx,o= /home/weechat

doas.conf

The second step is to permit the main user account to execute the weechat program as the weechat user. This can be done by updating doas.conf(5). On OpenBSD - doas.conf(5) can be found at /etc/doas.conf and on FreeBSD it can be found at /usr/local/etc/doas.conf:

##
# Permit the 'main' user to run the 'weechat' program as
# the 'weechat' user
permit nopass main as weechat cmd /usr/local/bin/weechat args

doas

The third and final step is to login with the main user account, and execute weechat as the weechat user via doas(1). At this point we could repeat these steps but for a different program - maybe FireFox ?

##
# Launch weechat as the 'weechat' user
main@localhost$ doas -u weechat /usr/local/bin/weechat