I’m just using my server for myself. I have a few apps installed. Should I create one user for each app in order to protect myself if one of the apps gets compromised? Is someone else with some measure of security concern doing this?
My worry is that if for example the mobile client of my feed reader stores my password in an unsafe way, it can be obtained and the intruder can log into my Nextcloud account. Is this a reasonable worry? I’m figuring that it’s a low-cost thing to do to create a few users. But I might be wrong. Would I have trouble with file permissions? I’m not sure if Yunohost users in the SSO is different from ordinary Linux system users.
Yes you are right your account security in this case (an app store in cleartext your account password) is bind to your (app) smartphone security.
If you think it could be a problem for you, you can create several yunohost user. YunoHost user are stored in ldap, and they are considered as unix user thanks to nslcd services.
An other way, some app (like nextcloud) support to create additionnal user outside the ldap database. And in the case of nextcloud you can configure a password per client app.
Note: if you are concerned about targeted attacks, YunoHost security could be insufficient.
Thank you for the reply. Regarding that last note; isn’t Yunohost safer than trying to self host with general purpose Linux distros? I mean, it comes with a lot of the security stuff preconfigured, like fail2ban. Are there any aspects where it’s less safe than other distros? I can imagine that the yunohost-api is, but I have disabled it as recommended in the security recommendations.