users, "private" groups, and The Unix Way (was, Re: Is it me or is it sudo?)

Mon Apr 2 23:51:27 UTC 2012

On Sat, Mar 31, 2012 at 7:04 PM, Tim <ignored_mailbox at yahoo.com.au> wrote:
> On Fri, 2012-03-30 at 20:39 +0100, James Wilkinson wrote:
>> From there, it follows that the easiest way to do this is to make 002
>> the default umask, which means that all new files and directories
>> created by normal users have these permissions. That means that if you
>> want files that only their owner can write to, you need a per-user
>> group.
>
> It always struck me that personal files ought to have no group or world
> permissions set by default.  If you wanted your files to have those
> extra permission set, then it ought to be done as a deliberate choice.

Maybe "user-id" is mis-named. There are sure a lot of people who tend
to see "user-id" and expect the one-to-one correspondence. I know the
conflation caused me some frustration back in college, and I'm not
sure I got it properly worked out until I put together a few openbsd
systems.

Anyway, it should be clear that a system administrator should not be
logged in as a system administrator when he or she is just writing an
e-mail scheduling meetings or something. But even ordinary (human)
users should not be surfing the web as the user they logged in as, and
I'm not talking about keeping my boss from checking my cache for
visits to slashdot or whatever.

As the system administrator for my home box, I want to be able to log
in as a normal user that is not tainted by my the web sites I visited
last time I logged in. That means I have a separate administrator
user.

I want one user-id/group-id pair for each bank I have to visit, so
that, even if we can't get the banks to use special-purpose browsers
for the money transactions, I can protect the bank data from the guys
that want to mine my data for their gain, including the other banks.
(Special purpose browsers are preferred, of course.)

And when I need to go surfing through blogs for news, I don't want to
do that with the user I logged in as. Even if/when we can get rid of
the sloppy programming practices Microsoft and their ilk promote, we
can't be sure we have every hole plugged, so it's just going to be
safer to do that as a user that isn't allowed to log in. That means
that, even though I log out of my "worker" user and log back in as my
"play" user, I still want to spawn a nologin user from there to surf.

(This is not pure paranoia. I checked out a company for a job and
discovered that Google had flagged their site as containing malware,
and the guy who ran the company did not have the financial means or
motivation to hire someone to clean the server up. Scared of having to
move off the vulnerable tools he was using, trying to meet a market
window that was fast disappearing, all the excuses.)

Incidentally, I'm doing this much now, using xhost local and sudo. (If
you're curious,

http://reiisi.blogspot.jp/2011/08/simple-sandbox-for-firefox.html

is my blog from when I first got it running. I need to re-write that
explanation, which is part of the reason I'm writing this long-winded
post now. But I still have issues with the input method that I need to
solve. And I need to write some scripts so I don't have to all the
tweaks by hand every time.)

And I glue it together with per-user groups. Without per-user groups,
I would have to go through serious admin-level contortions to grab a
download. Does that make sense?

--
Joel Rees