users, "private" groups, and The Unix Way (was, Re: Is it me or is it sudo?)

[Joel Rees]

On Tue, Apr 3, 2012 at 9:31 PM, Tim <ignored_mailbox at yahoo.com.au> wrote:
> On Tue, 2012-04-03 at 16:10 +0900, Joel Rees wrote:
>> Well, there is a reason some people don't want universal ID, for example.
>> It's a lot broader topic than you may want to believe. It's similar to the
>> reason your httpd and ftpd (ntpd, nfs daemon, database daemons, etc.)
>> are operating as separate users, and are run by yet another daemon
>> operating as yet another user.
>
> But those /are/ separate users, to apply the user analogy to machines
> rather than people.

On my personal machines, they are me, doing separate tasks.

If I insist on looking at everything I do on the computer as me.

Of course, I suppose you could say that the httpd is the author of the
daemon doing stuff on your computer that you asked him to, in which
case, the httpd is clearly not the user-id he would log in to on your
machine if he had some reason to do so.

There are different ways of looking at things, and, yes, I'm
advocating a point of view you aren't used to or don't like or
something.

> On the other hand, when I'm browsing, typing, reading, mailing,
> downloading, whatever, I am just one person.

Maybe, maybe not. But did I say I would use a different user-id for
each application? If so, I misspoke. (I don't think I said that,
however.)

I know that when I go to Amazon, for instance, I usually do not want
them to know who I am. Thus, when I'm browsing Amazon's web pages, I
probably will use a different subuser than when I am writing e-mail on
the list here (using Google Mail's web interface).

> You seem to be advocating
> changing user logons from what they are, to something else.  Muddying
> things up with application sandboxing.

I'm advocating returning them back to what they were in early Unix,
IDs under which to run a set of related tasks.

Sometimes those related tasks happened to have an approximate
one-to-one correspondence to physical humans. Definitely not always,
except on systems that had BOFH admins. (Those admins were seriously
lacking in understanding of the systems they were supposed to be
administrating, thus the tendency to refer to them as BOsFH.)

But the term "user-id" came, not from the human user, but from a bit
of jargon in which user tasks were anything not system, and, in Unix,
the concept was that the system was another user task, thus the root
user.

> Tim:
>>> Sure, there's /some/ added security in separated accounts for different
>>> activities, and some added privacy
>
>> s/some/a lot of/
>>
>> if you set it up right.
>
> Until you have to do something that crosses over from one to the other
> (such as an email that requires website confirmation), and at that point
> all your quarantining gets instantly negated, past and present.

I've done exactly that, numerous times. I prefer the reply method over
the web browser URL method, but when the former is not offered, I just
copy the URL into the clipboard and paste it into the browser running
as a subuser.

Yeah, I am aware that the fact of the shared paste buffer is evidence
that the wall is porous. But if a web site downloads something into
the subuser's browser, it goes into the subuser's download folder or
cookies or whatever.

Oh, I forget, flash is a pig. Doesn't run in the subuser. So I don't
go to sites that require flash in my work user. Yeah, when I shift to
that mode, I log out of the work user and log in to my play user. That
is no fun, because I can't listen to Heart or APP on youtube while I'm
logged in as my work user. But, really, if I want to listen to music
while I work, I don't have to be listening off of youtube. There are
other ways.

>>> (just recently it's become even more
>>> annoying how if you've logged into one service, you suddenly find that
>>> other things you're looking at have you "logged in as a user" rather
>>> than an anonymous browser).
>
>> Not a particularly recent phenomenon.
>
> I know it's not a new thing, but *recently* it seemed to have become
> worse.  In the past, there was the outcry against Microsoft's Passport,
> as the universal logon, and one login to the system, of which people
> will probably remain logged into during their entire session,
> fingerprints everything that they do.  Between then and now, it seemed
> that most major online services were quite independent from each other
> (e.g. what you did on eBay wasn't reflected on Amazon, etc.).
>
> More recently, the same sort of thing (as Passport) happened again with
> Google, YouTube, Yahoo, and probably some others becoming joined in one
> way or another, behind the scenes, as they've bought into each other.
> You log into one, e.g. so you can leave a comment on something in
> YouTube, and suddenly you notice that you're logged into Google,
> databasing every thing you do from then on, personally.

Well, Blogspot and youtube are Google, so it's not unreasonable for
those logins to be shared. You can turn the sharing off, IIRC. Between
Google and Yahoo, you have to tell both that you want to share logins.
At least, that's the way it was last time I looked.

Cookies, well, yeah, Google's most recent privacy policy kind of
bites. That's another reason I like to separate the users I work
under. I'm logged in now, of course, but I can use google with my
surfing subuser, and Google doesn't see it's me.

>>> But there's a lot of mess in when you need
>>> to be able to bridge between those different accounts (read and write to
>>> the files you saved in the other account).
>
>> Unless you have per-user groups and set the permissions right,
>> in which case it becomes a small, non-repetitive matter of navigation.
>
> Which a lot of people are probably not going to get right (no surprise
> there, because you have to understand it, how to implement it, and how
> not to negate your efforts).  And having commonly accessible data
> through a particular user group may well be a hole in that security
> model.

And that is one of the reasons I'm wasting time trying to tell other
people how to do this, here, on this list.

When I get some time, I need to make some scripts to set the subusers
up, and share the scripts.

> And we're rapidly getting into tinfoil hat territory.

A certain amount of paranoia is healthy.

--
Joel Rees