[ccouzens]

Sudo feels like a broken concept to me because it's there to protect the machine and other users.

But these days many computers are only used by one user.

Everything I care about on my computer is readable by my user and a program running as my user could put fake binaries in my path.

[hjanssen]

This is why the concept of "granular permissions" is so important on modern pcs, and I personally think linux is severely lacking in this regard.

Flatpack et al. have improved this situation somewhat, but come with their own drawbacks. Linux needs a central application-level permission system like Android, where I can grant/revoke e.g. internet access to applications. Frankly, I should never have to use sudo to install anything in my daily life, that is unfortunately not the case with the common ubuntu install, and will probably stay this way for a long time.

[docandrew]

Yeah, for the most part today any user who is logged in is somebody I trust with the machine. What needs to be restricted is what _applications_ can do.

My browser shouldn’t ever be allowed to to write to /etc/shadow regardless of whether it’s running as root or not. AppArmor gets us part of the way there but the UI to make everything play nice is too difficult.

Android’s security model makes a lot of sense to me, and from what I understand it’s all based on top of normal UNIX user/group privileges, just with per-app users/groups. I’d like to see more desktop distros experiment with it.

[robertlagrant]

Could you have a system where each capability has its own group, and each executable has capabilities represented by their group memberships? Then it would be easy to build a UI on top of those groups to manage fine-grained permissions.

[candiddevmike]

For desktop use, sudo let's you elevate your permissions as necessary (polkit kinda replaces some sudo stuff, but similar concept). The reason you want this is when you run anything, it will _by default_ run as your unprivileged user, not root. That is a huge security benefit and pretty standard across desktop OS these days.

Now on a server, sudo for a single user probably doesn't make sense, just use root and keep it simple.

[portabelllaa]

> That is a huge security benefit and pretty standard across desktop OS these days.

But is it really though? That's the parent was alluding to.

I have the same feelings - all my important data are readable/writeable as my user, if I somehow manages to run a malicious program as my normal user it's game over as far as I'm concerned, having root would cause no extra damage.

[candiddevmike]

Root access can be more insidious, like adding a crypto miner in the background or some other kind of virus masquerading as a system process. Your data would still be there, just silently being exfiltrated, along with your keystrokes/passwords.

[ehutch79]

Are you suggesting running everything as root?

As in when you setup a new vm or whatnot, that you shouldn't create a user account to run thing as?

Does this include things like nginx not dropping privileges to run as a user?

[candiddevmike]

With just one user managing the server, for sysadmin tasks like SSH, use root, especially if you're going to sudo everything you do anyways. For services, they should still run as unprivileged users.

[tbrownaw]

A - I have access to quite a few *nix servers, where multiple login users and/or services with district UIDs are a thing.

B - Not sure how practical most of this is yet, but there's cool stuff around isolating individual programs even on single-user machines.

C - My desktop has a couple things that listen on the network, and it's nice that they only have access to specific things.

[ilyt]

Well, kinda. For user, sure, but we could definitely get some security from having more granular permission for apps that the user runs (without going into extremes like Qubes OS).

For example, sound demon like pulseaudio runs as your user (...for some reason, fucking Lennart) but it really should not have write access to anything aside from its own config and for 99,99% users also not have access to read anything your user owns aside from its own config.

Even browsers should probably be limited, or user should at least get prompt, there is little reason to allow browser to dig around your system willy nilly, let alone in locations like ~/.ssh

[ccouzens]

To be fair, it's the permission model that's not kept up with use cases. On a multiuser system sudo makes a lot of sense.

[twobitshifter]

I feel that most computers may be used by 1 user but belong to someone else with their own requirements as to what is permissible. Company laptops seem to be more common than personal machines. Most will just have iPads and phones For personal use.