Hello, today I want to rant about Linux permission system and how totally broken it is.
Summary of the system: In the Linux permission system each program gets one User-ID and a set of Group-IDs. Objects in the file system belong to some user, and may also be accessible to some group. Processes with the same User-ID can control each other (stop, look inside etc.). Also any process with User-ID 0 (root) can do whatever it wants to the system, including changing own User-ID/Group-IDs. Some executable files on the system may have SETUID/SETGID flag set, what means that when they're run they get an extra User-ID/Group-ID.
This is pretty much the same system Unix had 20 years ago. I think we should drop it completely and get a one that actually works.
Here's a short list of things that are wrong with the system:
- Group-IDs are per-process, not per-user. So if user fred is added to group audio, so he can play music on the computer now, the programs he is running still aren't in group audio ! So he has to log out and log in again before the change is effective. Reboot after every change ? Is it Windows 95 or what ?
- Of course the permission system isn't even supposed to run like that. The only user who can control audio should be the one that is currently logged-in to the physical console. One that is logged remotely should not have any access to the audio system. This is pretty much unimplementable with the current permission scheme.
- There are no sandboxes, in particular there are no sandboxes for normal users. So it's impossible to run untrusted programs without risk.
- There is no real nouser/nogroup. Each program in nouser/nogroup can mess with other programs in nouser/nogroup.
- There are no per-process root sandboxes either. So one cannot start a foobard server in a way that even if the server is compromised, it has access to nothing outside. If the server runs as foo User-ID it can mess with other servers with the same User-ID. Even if there's no other program with the same user-id now, it can still create a SETUID binary and control servers running with the same User-ID in the future.
- Normal users cannot install programs using standard interfaces. They should be able to install whatever they want for themselves (even if system-wide instalations still require administrator permissions).
- For single-user systems, having to remember user and administrator password is silly. Well, Ubuntu is a bit better here using sudo instead of a root account.
- Users cannot make public only one subdirectory of their home directory without granting some access to their whole directory. One might want public ~/public_html/ and private everything else. It can't be done (unless public_html is outside the normal directory hierarchy).
- There are no guest accounts, which would be created just for one session without being able to affect other guests.