[anttiok]

(author. thanks for the kind words).

I think desktop-style devices are going more in the direction of being personal. And where they aren't, probably in the majority of cases you don't want the OS to mediate access poorly. I'm not saying that there aren't any counterexamples, though.

What you say about running processes "on behalf of you" is really quite interesting. There is no reason you should trust the application programmer to get it right, yet that's what the OS currently gives -- you can run your db as user "db" and httpd as user "httpd", but it doesn't do much good in terms of the actual user. So, some radical thinking is required. The editor of ;login: actually tried to point me in the direction you mention when we were working on the article, but I couldn't formulate clear enough thoughts on the subject to include in the article. Maybe someone else here has already thought about it and can put it into writing?

[zeveb]

> I think desktop-style devices are going more in the direction of being personal.

For many people you're probably right. I do think that there's tremendous value in segmenting out one's various personæ. There's no particularly good reason why I should give a binary game blob access to the same user data that contains my financial data, passwords &c.

A finer-grained system would be nice, no doubt, but OS users are pretty time-tested.

> Maybe someone else here has already thought about it and can put it into writing?

Well, in principle capabilities systems can do a lot of this already. As myself, I can give a capability to a server, and it can use that capability to execute work on my behalf; once I've received the result, I can (presumably) revoke that capability. Capabilities can even be used to implement filesystems: my process might have a filesystem root capability, which permits it to see a single directory, which is itself a list of capabilities to directories and files, &c. Pretty neat stuff.

There's been some interesting work with capabilities done in EROS, its successor Coyotos & Tahoe-LAFS.

I skimmed your thesis—really interesting work!

[simoncion]

> A finer-grained system would be nice, no doubt, but OS users are pretty time-tested.

Mmmhmm. From what I understand, Android runs each Android application on the system as its own user and handles application permissions by making each permission its own group. Linux's user isolation is pretty good.

Other than lack of manpower and lack of interest, there's no reason why a Linux distro couldn't put in the medium-to-large amount of work it would take to make wrappers to do similar things for their most popular Linux applications. :)

[cwyers]

Anyone who's ever nervously handed their kid their phone so the kid could play Angry Birds for a bit can tell you why Android's method of handling users isn't perfect.

[zeveb]

That's why it's great that Android supports multiple users on a phone. Setting up a guest user is easy, and setting up a dedicated user is only slightly less so.

[nulltype]

I'm not sure what software level protections can stop your phone from being dropped down the stairs.

[cwyers]

Fair enough, but I was more referring to "changing my wallpaper and rearranging my widgets" kind of stuff.

[simoncion]

You misunderstand. Android users are different from Linux users. :)

Android runs Android applications each as a different Linux user.

[anttiok]

The folks at genode.org are also relying on capabilities for the system. Maybe they have some ideas on how to relate it to application/service programming, and more importantly, how to get from current reality to "good enough"?

I think the last two paragraphs of "Conclusions" are the most interesting part of the thesis.

[Puts]

I think the confusing thing is that in a typical unix system we have the same separation for users of processes and users of the physical device. In the physical world, maybe the user-abstraction should be something physical? Maybe the OS should not handle physical users, but instead every physical user brings their own storage area protected by symmetric encryption (either in the form of a USB/memory-stick or a separate partition on a hardrive)? That would be a concept that more would resemble how we think of personal belongings in the real world. Just like I can share an electric tooth brush but I bring my own brush head.