Hacker News new | ask | show | jobs
by ratorx 675 days ago
User is useful for isolation, not just between system and user, but also between different bits of the system. This is more useful on a server running multiple different services, but desktop software often has multiple services as well (although I can’t think of an example right now).

Groups are a bit more niche IMO, but without groups there is no real other way to express the constraint of thing X uses file A,B, thing Y uses file B,C - how can they share the data without making things globally accessible or duplicating it. That’s probably a less frequent occurrence, but does come up (but again more on servers than desktop).
1 comments
stefan_ 675 days ago
Except they all already use the insanity that is SELinux because they found users and groups too limiting for their "guaranteed to break production at runtime" security scheme. People suggesting we need user accounts for isolation are a generation behind the engineers tasked with papering over security issues.
link
ratorx 675 days ago
SELinux is definitely over-engineered, but it’s not for the same problem as file permissions. File permissions are purely for files, whereas increasingly Linux does not nicely follow the philosophy of everything being a file. Once you have non-file resources and capabilities, it is very tempting to attempt to generalise permissions beyond them and if you attempt to bolt it on, you’ll get something like SELinux.

I wouldn’t say file permissions are necessarily outdated. You can get pretty far using something like systemd capabilities, which are much more supplementary to the existing Unix file permission model.

The very best approach to this IMO is OpenBSD pledge and unveil. Managing the permissions as part of the binary itself is much less fragile, although it doesn’t have exactly the same threat model. It also has the added benefit of temporal safety, which I’m not sure you can do with SELinux.

link
candiddevmike 675 days ago
AppArmor tends to break less because it doesn't resolve around esoteric file metadata for labeling, IME. Keep the policy definitions separate.
link
cwillu 675 days ago
Who is “they?” SELinux is not universal.
link