[nine_k]

It shows how old is that, and how things changed.

Back in the day, it was about multiple OS users on one big machine, maintained by a university or a corporation.

Now I'm the only human user of my several machines. I have more than one interactive user account on some of them. I put these accounts to the wheel group, to avoid ever using a root password. (Void Linux has it pre-configured in /etc/sudoers.)

[jml7c5]

Yes, Unix was designed to protect users from each other but the modern need is to protect applications/invocations from each other. It is unfortunate that Unix wasn't really designed for the modern use case.

Basically https://xkcd.com/1200/

[cookiengineer]

The irony behind it is that one could argue that we are using UNIX wrong, because technically each program should run as its own user with its own groups. Which is what apparmor and firejail/sandboxes kind of want to embrace but in practice people just care too less.

[ilyt]

Only sounds like "irony" if you don't understand problem.

The problem is not isolation or lack of it. The problem is that app require complex set of permissions for both users files and other apps.

App might want to send notification to notification daemon. But app should not be able to pretend to be another app, whether by name or icon. And good luck trying to stop malicious app from just making same/similar enough icon and spelling Firefox with some fancy UTF characters to go around it.

And that's pretty simple case! And already very hard on kernel/OS level to solve. Now look at files.

You might want to allow graphical editor to open any graphical file, regardless of location.

You might want to allow that same editor to only edit some of them.

But for browser, you might want to allow saving new files, but not editing/rewriting existing ones, because it is not an editor, and should have no business editing the files.

Or, allow browser tab browsing certain URL (say, web image editor) to modify the files, but not the image sharing webpage that only needs to read the file.

Now we not only have insanely granular permissions per app, the different actions from "app" (web browser is basically container for multiple applications at that point) also need different permissions.

It has nothing to do with "unix bad", or "unix wrong", to actually separate the applications without hardships on the user (like fucking with permissions every time one app needs to touch files of another app) is just very very hard

[Someone]

> You might want to allow graphical editor to open any graphical file, regardless of location.

More likely, you want to temporarily give them permission to specific files you indicate. A graphical editor doesn’t have reason to read any file that the user didn’t explicitly picked for editing/viewing.

That’s how Mac OS works nowadays (possibly except for the ‘temporarily’; I don’t know the details): applications can only open files that the user selected in the system file open dialog. That runs in a separate process and opens up an app’s sandbox to allow access to the file the user selected.

[thayne]

That limits your application though. It means you have to use the system file picker. For many apps that might be fine. But it means you can't have something like vim or emacs where you open files with a command. Or have an option that does something like open a sibling .h file when you are editing a .c file. Or search up the directory to find the applicable .editorconfig file.

[flangola7]

So why does it work for Mac, Android, and iOS?

[fiddlerwoaroof]

You can do this on basically any modern unix by passing file descriptors over a unix socket: the “graphical editor” server would launch as a user that can’t access anything except a socket and then users would open files by pushing an open fd to the editor over its socket.

[gorgoiler]

This sounds interesting but I don’t understand what the underlying mechanism is. For me, a file descriptor is just an int corresponding to something I can read from and write to and a socket just carries bytes. I don’t understand how an FD can be sent over a socket or, if it can, how that’s anything more than just sending an int?

[rcxdude]

You can express most of this using the existing capabilities in linux, the issue is that the interfaces you use to do stuff need to change in order to actually make it usable (as opposed to just instantly disabled as soon as it becomes a problem, like apparmor).

[labster]

While true and actually pretty cool, a comment like this is a pretty good explanation of why we haven’t had widespread adoption of Linux on the desktop. I can imagine the users’ eyes glazing over.

[ciupicri]

Flatpak [1] offers something similar on Linux:

> The FileChooser portal allows sandboxed applications to ask the user for access to files outside the sandbox. The portal backend will present the user with a file chooser dialog.

> The selected files will be made accessible to the application via the document portal, and the returned URI will point into the document portal fuse filesystem in /run/user/$UID/doc/.

[1]: https://docs.flatpak.org/en/latest/portal-api-reference.html...

[josefx]

> Which is what apparmor and firejail/sandboxes kind of want to embrace but in practice people just care too less.

In practice I don't have the time to debug every shitty little app armor integration for weeks. I lost days to libvirt-manager because its app armor support was enforced and not even half assed. Some configuration paths would automatically get whitelisted in its auto generated app armor profiles, others would just get you a file not found until you whitelisted them manually. The process responsible for generating these profiles would also silently kill itself if it encountered a path that was on its internal ban list, have fun debugging that when you do things like using an alternative bios rom, which by default are all stored in a blocked path.

Apparmor feels like security through obscurity, unless you already know that you are dealing with app armor fuckery there is no chance in hell that you will be able to run your application and not being able to run anything is the holy grail of security.

[tryauuum]

Regarding the last paragraph... Apparmor writes pretty verbose messages visible in journalctl (and in dmesg I think), so it's not really an obscurity

I used libvirt with apparmor and was pretty satisfied with it

[dathinab]

the problem is "just that" is not good enough

because programs often to need to have part of the capabilities of the user which started them, just a very well controlled subset of them, something which the UNIX model can't properly represent (through you can hack it on-top of it)

There is also the problem of having by default "owner-user owner-group other" as permission sets for files and executable. This works if others is "other humans" (assuming it does work, security issues on shared systems based on that where not uncommon). But this works much less if you want to protect users from rogue programs because then "other" tends to be far to permissive.

[derefr]

Process owned by human-user fork(2)s and then exec(2)s suid program owned by program-user; program owned by program-user then does most of the work; but calls back over a domain socket to program owned by human-user to get it to do things on the program-user’s behalf.

Picture: local DB client, remote DB server. Server can stream a file to the client for the client to write to disk. “On the same machine, as a different user” is just the trivial case of “over the network.”

[jcrawfordor]

This doesn't actually provide the benefit of application isolation though; if the software is malicious or vulnerable the as-user component could be as well. Remember that the biggest use case for application isolation is untrusted applications. Essentially any setuid-based approach to isolation requires a trusted developer using very good practices to remain secure, and that's why it's faded away.

[derefr]

What's insecure about setuid if the setuid user isn't a privileged user? For example, a setuid-nobody program, shouldn't be any more insecure than a systemd service spawned as User=nobody, no?

(Also, implied is that any untrusted logic lives in the spawned program, while the "client" program is simple and auditable. As I said: like a database client vs a database server. Or how about: like a client that wants to print something, vs. a print server embedding untrusted printer drivers!)

[dathinab]

like I sayed: hacks

[atahanacar]

If everything is a file, and files can have permissions, then you can simply allow the "program user" access to those files using groups.

[jcrawfordor]

The group model is far too inflexible to make this realistic... A file can only have one group, and people use more than one application. ACLs are available on Linux (although seldom used) and help to address this problem, but the ergonomics are very poor. Since ACLs don't address the issue of syscalls, IPC other than file based, etc., It hasn't really made sense to make them the focus or application isolation efforts. The kernel namespacing and capabilities features are a lot more attractive for this use and are more similar to the historic approach of chroot... But the tools still aren't great.

[atahanacar]

>A file can only have one group, and people use more than one application

But users can be in multiple groups. You can have files with groups like "graphics, audio" etc. and give access to the application users by adding that user to the relevant groups.

>IPC other than file based

This isn't UNIX model though, is it?

Though I agree with you. Given the current state of programs, file permissions aren't enough for isolation.

[not2b]

That's what Android does: each app runs as a different user.

[rollcat]

The issue with implementing that on traditional UNIX systems is that only root can impersonate another user. (Mechanisms such as su/sudo are achieving their goal through a setuid bit, and implement a policy using executable code in user space, which historically hasn't been without its own share of bugs.)

Next problem will be sharing data between programs that legitimately need to do so; if I had an _emacs user that owned my source code, how do I make it non-painful for the _gcc user to read the source and write the resulting executables (which would end up in a directory owned by _emacs)? What about git, various preprocessors/generators, formatters, linters?

You'd have to step out of the traditional UNIX authn/authz model to effectively implement that. It's what various security-focussed OS's have been doing for a while anyway; e.g. OpenBSD implements unveil, which "hides" entire branches of the VFS tree. For example, if git has no business reading or writing files outside of the currently operated on repository, it can restrict itself very early in the process life - before proceeding to perform any of the "tricky" operations that are the common sources of security bugs.

[skissane]

> The irony behind it is that one could argue that we are using UNIX wrong, because technically each program should run as its own user with its own groups.

I think one problem with the UNIX design is that UIDs/GIDs are a flat namespace, and commonly only 32-bits in size (even on 64-bit systems), when what is really needed to meet contemporary requirements is a hierarchy, either with an unlimited number of levels, or at least generous limits. Allow a user to create sub-uids (such as one per an application) and even sub-sub-uids (a web browser might create a sub-sub-uid for each website the user visits).

I think the Windows design of variable-length SIDs is in principle superior to the POSIX approach.

(Although, not necessarily in practice - it isn’t uncommon for Windows to make design decisions which in theory are superior to those of UNIX, but the practical implementation of them is full of warts, backward compatibility hacks, arbitrary limitations, and undocumented black boxes, which end up canceling out a lot of the theoretical advantage.)

[aragilar]

Have you heard of user namespaces? They would match all your requirements it seems.

[skissane]

I have but I don’t agree that they do.

From what I understand, Linux user namespaces require you to reserve a UID range for each namespace to be mapped to its parent. Since you only have 32-bits to play with, you are forced to map multiple UIDs in the child namespace to the same UID in the parent, while many security decisions are based on the root user namespace UID only. So this is actually a lot more limiting and inflexible than Windows-style variable length UIDs would be.

[ElectricalUnion]

> you are forced to map multiple UIDs in the child namespace to the same UID in the parent

Is that really a limit or just a thing for convenience?

I don't think besides 0 in namespace being the actual user in the actual system as a good convenience, that there is any "need" for pids per root-pid, and even if that happened it would save "root-pids".

And I find it unlikely as of now that a system would reach the 16-bit limits of running more that 65000 applications on a single system without hitting some other limit like /proc/sys/kernel/pid_max or /proc/sys/fs/file-max first.

[seanw444]

It seems like the obvious solution. Users are protected from one another in Unix, applications need to be protected from each other, therefore applications must be users.

[doctor_eval]

I ran a SaaS for a long time before containerisation, and we would create a new Unix uid for each customer, and run the application instance exclusively under that uid. Coupled with a postgres database instance and properly isolated postgres roles, it felt like a reasonable way to isolate customers from each other.

The problem with this approach is that, of course, it really doesn’t scale easily. Eventually you need multi tenant, and eventually we ended just pushing everything into the database, using row level security and tenant IDs. It worked great but felt more fragile (eg, you can disable RLS)

I’m not an OS expert by any means, but I think ultimately the problem is that we’re using one operating system model for two orthogonal use cases.

I feel like need a well-defined client model - “one user with multiple apps” and a well-defined server model - “one app with multiple users”. But it’s not clear to me how the OS can help with the latter, since it’s going to be domain specific. Maybe Postgres’ model is the right answer after all.

[jandrese]

Unix doesn't make it easy for an unprivileged user to switch to a different user account for just one app though. Plus it gets more complicated when your application wants to save something to the disk so it can be accessed by a different application.

[regularfry]

"More complicated" but not by much. That's where groups come in.

[HKH2]

> in practice people just care too less.

I tried to use Apparmor and SELinux, but how policies work is beyond me. Snap's sandboxing seems to be the closest thing to user-friendly sandboxing, but it's still not that user-friendly.

[colonwqbang]

Maybe on the server/desktop side of things. In embedded Linux the "user per app" scheme is very useful and is embraced.

[cookiengineer]

The issue I have with it is that a lot of living off the land techniques are caused by this false sense of how UNIX user and group management is supposed to work.

I mean, the correct approach would be to have groups even for specific network protocols because capabilities are not enough to sandbox a binary correctly, and the network group is pretty much pointless.

And then there's icmp, which brings us to the ping binary which on lazy distributions still has an SUID flag set, as well as glibc which still allows LD_PRELOAD by default because it is intended functionality from the perspective of its developers.

Most of these privilege escalation exploits can be mitigated, if users and groups and capabilities are managed correctly.

In practice I probably would recommend to use the systemd seccomp sandboxes because most of these quirks have been abstracted away there and are configurable in the service files - like file/folder access, user/group randomization, chrooting, capabilities etc.

[Lindby]

That is what Android does. Each application (by default) gets its own user id.

[ElectricalUnion]

Isn't this what Android does? Every app has it's own user and group and you only get to manipulate "kinda-global-state" thru platform APIs.

[TillE]

This is why I'm still hopeful that capability-based microkernels are the future. They simply fit modern security needs far better than hacky sandbox solutions on top of the same old operating systems with coarse permissions.

[1letterunixname]

The use-case is concerned with is multi-user, most likely remote login, sometimes desktop login. He whines about everyone not having root and breaking the box. Too bad. If you don't like the isolation and privilege separation a system provides, use virtualization, containers, run your own, or change the OS to allow your specialness that doesn't affect other users.

It's not wheel's fault, and so substituting root group for wheel was nothing more than a special snowflake move by someone who thought the sysadmins were holding back and the "enemy".

[fsflover]

The solution is to use https://qubes-os.org. My daily driver, can't recommend it enough.

[bee_rider]

Qubes is one of those things that, I think, everyone knows is better but it seems just far enough away to not want to change.

How big of a change is it? If you are, say, a Linux terminal native can you just pick up and run?

[invalidator]

Mostly yes. Your applications run in a standard Linux environment and if you pop up a terminal, hey, it's your favorite distro and it works.

There's some learning curve for features which exist for valid reasons, especially around communicating between domains. For instance, copy-and-paste between qubes requires extra steps. Plugging in a USB keyboard or mouse doesn't just work - you have to authorize it first (just click the OK button using a PS/2 mouse, or laptop's touchpad). You have to learn how to move files between qubes. USB drives, cameras, and microphones aren't globally available to all applications - you have to attach them to a qube first. You can install software using apt-get inside a qube, but it won't persist across reboots - you have to update the OS template.

I want those extra steps and complications - they are features, not a bugs! The first few days you'll be looking things up in the FAQ. After that it's pretty easy.

There are a few sore points that don't go away. You don't get GPU acceleration in your web browser, so rendering is slower. Gaming is not an option. Your application qubes live behind a firewall qube, so things that require network broadcast like Chromecast won't work. Those are fine for me but not for everyone.

[Dylan16807]

Please tell me the USB devices that were there at install time get authorized.

> You can install software using apt-get inside a qube, but it won't persist across reboots - you have to update the OS template.

> I want those extra steps and complications

Is it wrong of me to say that enabling persistence, with snapshots, on a qube should be a single toggle?

[fsflover]

> Please tell me the USB devices that were there at install time get authorized.

Yes, if you only have a USB keyboard, it will work. Manual creation of a USB VM then is recommended for security: https://www.qubes-os.org/doc/usb-qubes/

> Is it wrong of me to say that enabling persistence, with snapshots, on a qube should be a single toggle?

Of course you are right. TemplateVMs provide /root partition to AppVMs and software should be installed normally to the former. At every AppVM reboot, their /root is reset to the one from TemplateVM. Ordinary, persistent VMs are also possible. Details: https://www.qubes-os.org/doc/getting-started/

[markstos]

Qubes is enough of a pain to use that another OS project started to try to take the concept and make it more usable:

https://spectrum-os.org/

Doing so has proved hard and slow so far, and Spectrum hasn't had a usable release for the masses yet.

[dooglius]

> Initial versions of Spectrum will have the user be responsible for writing Nix code for each application and resource, and the combinations they make between them.

As a qubes user, I think this is interesting but it definitely does not sound more usable.

[nine_k]

You would feel at home more as a cloud native, because everything runs in its own VM, spun up and down on demand.

[fsflover]

All software runs in Linux VMs, so it is practically the same as running several Linux operating systems with a nice UI.

[_lvbh]

I tried it for a week. Feels like overkill so I instead went for Fedora Silverblue & have everything in isolated podman containers.

Of course, I’m not being targeted by the state so my threat model is much lower.

[throwthat1]

Everyone is somewhat targeted by the state already... Just not at a pin point level yet.

[effie]

If you're targeted by state, Qubes on a PC isn't secure enough. It sits at a weird place, where it is stronger than your regular Linux, and showcases interesting ideas, but is quite restrictive in what you can do and doesn't provide any real security guarrantees. It's an open-source small shop project. Xen bugs and kernel bugs are too frequent, big boys know them/buy them/make them/exploit them, surely silently for years.

The idea your data on a PC connected to Internet can be really secured from the most powerful actors is very naive.

[fsflover]

Snowden is using and recommending Qubes [0]. Only 25% of Xen bugs on average affect Qubes [1] and never lead to escapes. What is restrictive about Qubes? I do everything I need on it.

[0] https://twitter.com/Snowden/status/781493632293605376

[1] https://www.qubes-os.org/security/xsa/

[effie]

Don't do things just because twitter persona says so. Is there an independent security audit of Qubes that checks its factual capabilities in security?

> Never lead to escapes

Escape is the highest form of security failure. I'm talking about data access and exfiltration.

Do you store all your important data on a VM with no internet access? Even Qubes users don't, it's hard to work with. Then it's Firefox/ kernel bug away from being accessed remotely.

XSAs are publicly known vulnerabilities discovered by someone who wanted to make it public and later were published by the Xen developers. There very probably are publicly unknown vulnerabilities, both in HW and Xen, discovered/created by people who want to profit from exploiting them. There are whole teams focused on this kind of work, payed by states and criminal-enablers like NSO.

> What is restrictive about Qubes?

No GPU acceleration for video in a VM, legacy OS on dom0. Xen development in support of modern CPUs has fallen behind, didn't even boot on modern Zen X570 platform last time I tried, dysfunctional nested virtualization, using KVM from Linux does not work, can't run Android Studio with phone emulator.

[fsflover]

It might be an overkill if you need too big efforts to switch. I did not feel that way. The independent VMs for different workflows even helped to organize my work.

[jzb]

It's one of those things I keep thinking I'd like to try but actually implementing it seems like it'd be a huge pain in the posterior at first.

Am I wrong about that?

[nine_k]

It's mostly a huge pain in the GPU, unless you only need the basics.

[fsflover]

Probably depends on the hardware. See this: https://forum.qubes-os.org/t/community-recommended-computers....

Upd: yes, also there is no GPU acceleration in the VMs.

[effie]

> I have more than one interactive user account on some of them. I put these accounts to the wheel group, to avoid ever using a root password.

Why have multiple different unix users if all have the same power of the root user? They aren't isolated from each other, they aren't less powerful than root. So why not just use the already existing single root account?

[paulddraper]

First, some software literally refuses to run as uid 0.

Second, it can still be useful for bookkeeping.

[geoelectric]

Seems like it’d actually decrease security as now there are several different “root” logins that could be compromised.

Though I suppose, with further thought, it’s not significantly worse than having them in sudoers, in that particular respect.

[effie]

That's why the same question really applies to standard but insane practice of using sudo to get root. There is no security difference between root and lowuser that can sudo into root.

Sudoing into root from lowuser account is in some scenarios potentially more dangerous than just using both accounts separately, as the user who uses root regularly/very often gets accustomed to the fact his commands are powerful and can screw his system, so mistakes almost never happen. While sudoing all the time creates a false sense of security and the user is more likely to run harmful command with sudo.

[zeroimpl]

Yeah I don’t really understand why when I ssh into a VM in the cloud I have to first connect as a static dummy username like ec2-user then sudo to root.

[effie]

Yeah. From http://ec2-downloads.s3.amazonaws.com/AmazonLinuxAMIUserGuid... :

> To prevent remote root exploits, the Amazon Linux AMI does not allow remote root login via SSH[...] By default, the only account that can log in remotely via SSH is ec2-user. The ec2-user has sudo privileges.

Can someone please explain how this makes any sense for better security. It seems to be just a security theater.

[1letterunixname]

I remember having BootCommander on a test box containing Windows 95 (and a bunch of other crap) to boot to up to 16 OSes.

Back in the day, university campus networks popularized a "cluster" approach of logging in to specific machines whereby hosts followed the pattern: $(uname)[0-9]{2}. You would soon setup authorized_keys and a script that would check the load of all machines by iterating ssh. The same home directory would be shared to all machines, regardless of OS, so portability of shells scripts and POSIX/C code was necessary.

[m463]

corp users still share some machines.

actually if you think about it, lots of machines you OWN nowadays don't give you root access.

For example you can't get access at the actual filesystem on your iphone without a jailbreak.