[saulpw]

I've been wondering about this for awhile. Do we really need multiple users for desktop unix? I get that you want some division between system and user, to protect the user against themselves. And read-only files are similarly useful, if only because some devices are read-only. But do we really need user/group/other permissions for desktop unix? and all the complexity of groups, and euid, etc.

Edit: not sure why I'm getting downvoted. Is it that offensive to question orthodoxy?

[ratorx]

User is useful for isolation, not just between system and user, but also between different bits of the system. This is more useful on a server running multiple different services, but desktop software often has multiple services as well (although I can’t think of an example right now).

Groups are a bit more niche IMO, but without groups there is no real other way to express the constraint of thing X uses file A,B, thing Y uses file B,C - how can they share the data without making things globally accessible or duplicating it. That’s probably a less frequent occurrence, but does come up (but again more on servers than desktop).

[stefan_]

Except they all already use the insanity that is SELinux because they found users and groups too limiting for their "guaranteed to break production at runtime" security scheme. People suggesting we need user accounts for isolation are a generation behind the engineers tasked with papering over security issues.

[ratorx]

SELinux is definitely over-engineered, but it’s not for the same problem as file permissions. File permissions are purely for files, whereas increasingly Linux does not nicely follow the philosophy of everything being a file. Once you have non-file resources and capabilities, it is very tempting to attempt to generalise permissions beyond them and if you attempt to bolt it on, you’ll get something like SELinux.

I wouldn’t say file permissions are necessarily outdated. You can get pretty far using something like systemd capabilities, which are much more supplementary to the existing Unix file permission model.

The very best approach to this IMO is OpenBSD pledge and unveil. Managing the permissions as part of the binary itself is much less fragile, although it doesn’t have exactly the same threat model. It also has the added benefit of temporal safety, which I’m not sure you can do with SELinux.

[candiddevmike]

AppArmor tends to break less because it doesn't resolve around esoteric file metadata for labeling, IME. Keep the policy definitions separate.

[cwillu]

Who is “they?” SELinux is not universal.

[eadmund]

Those multiple users could be used to implement sandboxing.

And of course if one has a family then one might want accounts for Mom, Dad, Alice and Bob.

[ryandrake]

Yea, I'd like to see a system where each application runs as its own user, especially third party applications not vetted by the OS vendor, the package manager and so on. Maybe this already exists--I think it would be a good step forward for security and privacy.

You can no longer trust 3rd party applications to stay in their lanes. Running an application with full access to everything that I as a user have access to seems insane in 2024. Ideally, I don't want a third party application to read or write anything outside of its "home directory" without my explicitly giving it permission. That includes files on my filesystem, network shares, hardware devices, everything.

[sim7c00]

u would either need to statically includw everything in the binaries all the time causing huge files everywhere, or use something like bsd jails. both is doable. then it is still possible to access the kernel though. so its highly impractical. as other guy pointed out Android somewhat works like that, but lots of malicious programs also exist for that..

[tredre3]

> Maybe this already exists

That's how Android works.

[pjmlp]

In the early days, nowadays not only it does that still, it also has LinuxSE and seccomp enabled, and Linux drivers are seen as legacy, modern drivers run out of process as well, on their own accounts, talking via Android IPC with the kernel.

[anthk]

Stop running 3rd party propietary crap. Problem solved. Better: separate your work, gaming/leisure and 'sensitiive' (banking) files with 3 different users.

[bloqs]

Depressingly i think sharing computers at least in the western world has become a thing of the past. At the very least, sharing your main form of computing.

[sim7c00]

?? not all households have money to buy pc for everyone. for phones maybe (also less common outside of rich countries), but definitely not true for pc platform, for most of the world actually.. there a lot of pcs for the family still.

[pjmlp]

In poorer countries, the phone/tablet is the only "PC" they have, and I guess that was the point being made.

[nunez]

Using computers in general outside of work is quickly becoming a thing of the past too.

[throwaway87483]

We're sharing a computer as we speak.

[chrisweekly]

Right, in the sense of "the network is the computer".

Tangent: one of the most talented engineers I ever met gave an amazing (tho sadly company-private, unrecorded) talk about how the OS was his IDE. Kind of analogous... anyway, I like this type of re-framing or meta-level-shifting.

[gjvc]

he must be getting a bit twitchy lately then

[saulpw]

The days of multiple family members using the same computer are long gone. Do you ever log into anyone else's desktop/laptop, or does anyone else ever log into yours? That's what I'm getting at.

[bigstrat2003]

Yes, actually. My wife occasionally logs into my desktop and vice versa. But I take your point - it's far less common than it used to be, even if it does still happen.

[IcyWindows]

Yes, my children log into their own accounts to play games and/or do homework on the desktop computer with large monitors and good GPU.

[acuozzo]

My children all share an unprivileged account on our family desktop computer to play video games, etc.

In addition to this, my wife has an account on the computer which is separate from mine.

[wruza]

I have to clean my grandmas tablet every time my nieces come and screw it up by installing games, moving icons around and setting who knows what.

[c-hendricks]

Right, but you're not logging in to a separate account for that.

[wruza]

A separate account for kids would make this cleanup unnecessary. They don’t want to screw it up for her, they just do what they think will help with their activities.

[pdonis]

> I get that you want some division between system and user

Which, as others have pointed out, means various system services running as other users (since you don't want them running as your user, and you also don't want them running as root). On most desktop unix machines that only one person uses, that's the main use case for multiple users (and for multiple groups since groups are used to manage access to various functions like printing, usb sticks, cd-roms, etc.).

[DSMan195276]

Users are still useful for isolation, many daemons on your system are likely running with different UIDs (or could be configured to do so) to increase isolation between them and the rest of the system.

Groups are a bit less useful (IMO), but still good for handing out access to things like device files. If a daemon should have permissions to XYZ /dev file then you add them to the group associated with it.

[quotemstr]

You want every app of yours to be a different "user" so they can't access each other's data without arbitration. The term "user" is an unfortunate Unix inheritance. There's no reason that a single human (as he might on Unixes like Android or iOS) shouldn't have a hundred Unix "user" IDs at his disposal, one for each app.

[jacobsenscott]

It's a 70's permission system designed for 70's style computer usage - ie one computer shared by many people, with a relatively high level of trust among all the users.

[arp242]

It seems to me that stuff like iwd, ntpd, udevd, bluetoothd, dhcpcd, etc. etc. each running as a different user is pretty desirable. Every system works like this, including Windows.

The most obvious reason for this is so that a security problem in one of these daemons won't be able to read your Firefox cookies, install a rootkit, and stuff like that.

[0cf8612b2e1e]

It took me a shockingly long amount of time before I realized it was silly to have a username on my machines. I am the only person using this, why am I typing unnecessary cruft? Username switched to “a”, which ends up saving space in my home path and terminals.

[jesprenj]

It took me a shockingly long amount of time before I realized it was silly to have a username on my machines. I am the only person using this, why am I typing unnecessary cruft? Username switched to “root” on all my machines and I remove the username from PS1. /root is shorter than /home/a (:

[0cf8612b2e1e]

That requires faith in software not making hard coded assumptions about filesystem structure. Something which I am not prepared to do. How much software still cannot respect XDG?

[holowoodman]

Not a problem in practice. I've seen a lot of systems having user homes in places other than /home for various (usually historical) reasons. Never broke anything afaik.

[0cf8612b2e1e]

It probably is fine. Still makes my spider sense tingle about some unforeseen failure that will crop up one day.

[tredre3]

I've seen scripts with hardcoded "/home/$username" so your worries aren't entirely unfounded.

It's understandable too, because Linux doesn't provide a nice way to retrieve that information. You'll have to parse /etc/passwd (which might not contain all users) or hope that whatever language you're using supports path extrapolations so that you can do realpath(~username) or call a third party tool that does, like a shell.

[jesprenj]

ln -s /root /home/root

[quotemstr]

Just change your home directory to /me. Who cares about /home?

As for permissions: on a single human machine, sudo is useful principally to introduce friction to random install scripts doing random things to my system. In day to day use, there's no reason for me to input my password just to install some Firefox snap or something.

[saulpw]

Once I had this thought and renamed the root user to my own name. Hilarity ensued.

[mixmastamyk]

lightdm brings up my username automatically, ~ is home. Are you saving much? That said, unix originals used three char usernames.

[0cf8612b2e1e]

Login from a terminal requires exact username, so I am saving literal seconds per day. <a> <enter> just rolls off the keyboard.

[pjmlp]

Of course, nowadays even more so, unless users want to expose $HOME to the world.

[hamandcheese]

I feel like macOS had the right idea for desktop security, with a per-binary permissions model when it comes to accessing sensitive areas in $HOME.

I know this can be done in Linux using flat packs, snaps, and the like, but I would really appreciate if sandboxing could be done at a more fine grained level, without coupling sandboxing and distribution.

[holowoodman]

That's what SElinux is for. However, you might have to write your own policies, the usual ones that most distributions ship are tailored to the server usecase. Android also uses SElinux for that kind of access restrictions, but works somewhat different form "normal" desktop linux.

[foresto]

> Do we really need multiple users for desktop unix?

I do, and not just for system services as mentioned by others.

I have separate user accounts for general desktop use, gaming, software builds, software testing, and a variety of containers.

Isolation is useful.

[wruza]

Yes, we really need users for desktops on all operating systems. Fundamentally limiting a computer to a single user is immeasurably idiotic and I wonder how one comes to that question even.

Somehow it slipped in for phones and that’s a big part of why they suck. E.g. you can’t have work, life, private/second life and tmp/trash accounts on your phone and have to either carry multiple devices or mix lives together.

[IAmLiterallyAB]

You can though! Stock Android supports multiple users. Just enable it in settings

[Chris_Newton]

Do we really need multiple users for desktop unix?

I find them valuable. For example, I have a workstation that is used for different projects with different clients, as well as administrative work for my own business. I want 100% separation between assets related to those different contexts.

It’s bad enough that we have package managers allowing package installation scripts to run arbitrary code, or software wanting you to install via:

    curl https://example.com/imnotmalwareipromise.sh | sh

I’ve seen people seriously make the argument that if your entire system gets nuked by malware through these installation methods then this is entirely your fault. That’s obviously an absurd victim-blaming stance, but the fact is that the risk still exists with modern software development systems.

At least if I have separate users for each client or each major project then the worst that is going to be compromised by a vulnerability introduced during the work for that client or project is that same work.

It’s not just about security though. It’s also about convenience and manageability. Those different clients and projects frequently require the use of specific security credentials and configurations, often for remote services that other clients/projects also use. In a perfect world, I’d like all of the software I use to be XDG-friendly, and I’d like each client/project to have its own home directory with its own independent XDG-style directories underneath, so each user has the configurations and credentials required for its own work and has no knowledge of or access to those of any other user. Finished a project? Archive/nuke that entire user and home directory as appropriate, and nothing is left lying around to break anything or leak anywhere later.

I’m currently playing with NixOS, which means I can also have a limited set of system-wide software installed and have specific additional packages installed per-user or even activated on demand when I change into a specific directory. Again, this means my system has only the software I actually need available at any given time, at the exact version I need for that specific work, and if something is no longer needed by anything I’m doing then it will automatically get cleaned up next time I do an update/rebuild.

None of this really works without the concept of separate users running different software in their own isolated little worlds, possibly concurrently on the same workstation and even sharing the same input/output devices (in a safe way where again they can’t unreasonably interfere with each other – something else that is not 100% there yet, but certainly a lot better than on de facto single-human-user operating systems). The only real alternative is to spin up something like a different virtual machine for each client/project where everything from the OS down is isolated, but I don’t really gain anything by doing that and it’s potentially more work to set up and more difficult to share input/output devices.

[stefan_]

No, a group called "wheel", "dialout" and users "irc games uucp list gnats mail news" are essential to the Linux desktop. The only cruft facing the Linux desktop today is the unification of bin and sbin.