Trusted Users
Tip
Now an unprivileged user can run appjail
without running appjail-user
and this
is the recommended way. Much of the following explanation actually applies.
When you share a server with co-workers or when you are the only person using a laptop, it is probably worth using AppJail without accessing the root
account. AppJail has a simple but useful wrapper for such users named appjail-user
.
The appjail-user
uses RUNAS
to execute AppJail commands as root. You can set it in the AppJail configuration file to whatever you prefer, such as sudo
or doas
. Of course, you need to install one of them first. I recommend using security/doas
because it is simple and secure.
The only rule required in your doas.conf(5)
file is:
permit nopass :appjail as root cmd appjail
# If you plan to use x11 applications, it is probably necessary to pass `keepenv`:
#permit nopass keepenv :appjail as root cmd appjail
If you want, you can remove nopass
to require a password. This rule also assumes that you have a group named appjail
. If you don't, don't worry:
pw groupadd -n appjail
To add your user to the appjail
group simply run the following:
pw groupmod -n appjail -m "$USER"
Where $USER
is your user. For these changes to take effect, you must log back into the system if you are adding yourself.
Now, any user that is in that group can run appjail-user
as the administrator runs appjail
:
$ appjail-user jail list
Similarly, there is a variant for appjail-config
named appjail-config-user
. The instructions for using it are similar to the above:
permit nopass :appjail as root cmd appjail-config
Now, any user that is in that group can run appjail-config-user
as the administrator runs appjail-config
:
$ appjail-config-user set -j myjail devfs_ruleset=15
Of course, unlike appjail
, appjail-config
does not require privileges for simple tasks like reading templates, but it does require privileges for writing them.