[panki27]

I had the "joy" of watching some guys from Perforce setup a new p4 instance.

They confed /etc/sudoers so that the perforce user can run everything as root without providing a password. I told them that this is really a bad idea, and they pulled up one of their setup guides with "enhanced security hardening".

It ended up with ~35 specific entries for binaries in sudoers, one of them being /usr/sbin/setcap - which allows you to give e.g. the Python interpreter CAP_SETUID, making a privilege escalation to root trivial again.

[dehrmann]

We love to praise Unix, but it wasn't built for modern multi-user use. FUSE was an after-thought. So were package managers, and they got added, but they require root. Users aren't sandboxed, so they can see what others are doing. These were just off the top of my head.

[Vogtinator]

For multiple users on the same server it was IMO well designed. Everyone had their ~ and could place whatever libraries/binaries/etc. in there and do whatever they wanted.

Package managers are way more modern than that and their design does by itself not require root (see pip). You can in fact run most package managers without root, you just won't be able to modify system files. You can use them to install a chroot as regular user, e.g. `zypper --installroot ~/tw install bash`.

FUSE doesn't really relate to single vs. multi-user AFAICT.

Users are perfectly sandboxed if you configure the system that way. Depending on the distribution that's even the default.

[IshKebab]

Oh yeah? How can I install Clang using Apt without root?

[s1gsegv]

This is largely a package manager problem. There is a way to run Homebrew (the package manager widely used on macOS) on Linux in a rootless mode, and it will install packages into your home directory no problem.

It’s a good trick to have in your back pocket if you’re given an unprivileged user on a compute node and want to make use of modern tools.

[ErikBjare]

You don't need to install it with apt

[IshKebab]

Indeed but the claim was:

> You can in fact run most package managers without root

It is very clear from the context that dehrmann was talking about Linux distro package managers (Apt, Yum, Dnf, Apk, etc.) and as far as I know they all require root, or at least I have never once seen someone use them without root.

[ErikBjare]

I figured most package managers (brew, pip, nix, npm, etc.) are not actually one of the few Linux distro package managers. You listed them almost exhaustively after all (excepting pacman).

[jeroenhd]

Unix was very much made for multi user environments. The problem with staying compatible with Unix today is that back when Unix came to be, everyone on the system was more or less trusted. The biggest security concern was making sure that everyone who was logged in was billed correctly.

On succifiently offline systems, you can still run software like that. It's quite freeing to have a server with 777 on your home directory when the biggest problem it'll cause is someone pranking you by altering your terminal color scheme to something hideous.

[noinsight]

> Unix was very much made for multi user environments. ... The biggest security concern was making sure that everyone who was logged in was billed correctly.

I don't know about that... It doesn't even support multiple administrators. And you can't even distinguish between actions performed by the system itself and the administrative user.

Yes I know about sudo.

What do you need to do and what do the (even audit) logs say about who performed an activity whenever administrative activity happens?

[timewizard]

> It doesn't even support multiple administrators.

You can easily create multiple accounts that have the uid 0. Groups are a fundamental part of discretionary access system and several administrative groups exist by default. Your modern desktop oriented distribution may not take advantage of these facts.

> logs say about who performed an activity whenever administrative activity happens?

Simply enable process accounting and setup a program to capture that information. The early BSD distributions had this and had many command line tools to query the information it stored.

[randomname93857]

>> What do you need to do and what do the (even audit) logs say about who performed an activity whenever administrative activity happens? By activity you mean who run some process? doesn't enabling audit on all execve, execveat and looking at AUID besides EUID and UID fields tell you that? Or am I missing something? you may want to configure ENHANCED format in auditd for convenience.

[noinsight]

No, you are right. On Linux you can look at AUID. To be fair, I have no idea about others than Linux.

[adrian_b]

Multics had much more complex security, with access-control lists.

The authors of Unix have taken most of the concepts of an hierarchical file system from Multics, the main exception being the security features, which have been replaced with the simpler owner-group-all permission bits, together with features like setuid/setgid, which may be OK for simple use cases but which is inadequate for a system with many users, where not all of them can be trusted.

[fph]

Is multi-user use "modern"? Back in the days everyone shared the same mainframe, now I'd say most computer systems have a single user.

[adrian_b]

While most computers are personal computers, which have a single real human user, you still have to run a lot of untrusted programs, like the Internet browsers or whatever programs you might download from dubious sources.

While perhaps the term "user" is no longer the best, there is a need even more than before to run programs with limited rights, corresponding to the rights of some pseudo-users, which should not be able to access or modify anything belonging to the real human user, unless a special permission is granted.

[Too]

Android works like this. It's linux based and runs every app as its own user. On top of that it adds SELinux and many other isolation strategies.

https://source.android.com/docs/security/app-sandbox

[calvinmorrison]

So, basically all my sandbox concerns go away if I run as root and every browser runs as its own user

[Dwedit]

Shared Web Hosting still uses multiple users.

[anthk]

Unix 2.0 (plan9/9front) has namespaces.