From owner-freebsd-hackers@freebsd.org Mon Feb 17 13:22:01 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5EFA52391B3 for ; Mon, 17 Feb 2020 13:22:01 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: from mail-oi1-f182.google.com (mail-oi1-f182.google.com [209.85.167.182]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48Ll542Kchz4NJj for ; Mon, 17 Feb 2020 13:22:00 +0000 (UTC) (envelope-from mozolevsky@gmail.com) Received: by mail-oi1-f182.google.com with SMTP id z2so16632945oih.6 for ; Mon, 17 Feb 2020 05:22:00 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=YGURFx+FaHy96YBR6IQog13jtAG5Nt0BBfRak+hOs1g=; b=g8+I2hY0W8lYLePA/xtJxr+X5CDjHNR+RGr5AUC+O9CdcsWZrkd5FZ9XG95SleGLQ5 2aG4Xg/KgyMrbosrtWo3JY0Mv3QSe2ovY16QLOkNEyWrJ3dy2R/NbJytU/bMOaiJx/j+ BSnlrpAulEDJSckMx7FtA3NO8KNfWEHL/65Zz5poX6FOQIwLowFN53ns+Xz9jY5BEYCm Ix74MV5dOYs+qLjSl2A0w0z8jryftqr1QDRzE67fcDK1yNz2v9cUXNyW9R6jT0Xxw3eP kzZupAYfQbMecAQYAaBkKLeMCVkE5VuAQ1xHBUdkKHDeG0G66Blz0NfMlmQ5BQCkEGD7 cwvA== X-Gm-Message-State: APjAAAVI0IeezlghkMOuMpRStfmOjOZMBOCdYPqvEKGhBbVNqearmRq/ rAV5sPMVaqk82nFV46UCPbEzn+FYLzl5nWP0vrg= X-Google-Smtp-Source: APXvYqwNIrNi9BB6HXvaA6t2DufJmtHnwr6VdXOayMp2Ce8QvSzPDbquk/bwv6vzr8EIwYHyQMDJIavmgpK6ihHlAtI= X-Received: by 2002:a54:4010:: with SMTP id x16mr10331707oie.174.1581945718792; Mon, 17 Feb 2020 05:21:58 -0800 (PST) MIME-Version: 1.0 References: <661730512.20200217141432@mail.ru> <419974027.20200217155651@mail.ru> In-Reply-To: <419974027.20200217155651@mail.ru> From: Igor Mozolevsky Date: Mon, 17 Feb 2020 13:21:22 +0000 Message-ID: Subject: Re: is there a future for user accounting (getpw* replacement) To: Anthony Pankov Cc: FreeBSD Hackers Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 48Ll542Kchz4NJj X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mozolevsky@gmail.com designates 209.85.167.182 as permitted sender) smtp.mailfrom=mozolevsky@gmail.com X-Spamd-Result: default: False [-3.01 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-hackers@freebsd.org]; DMARC_NA(0.00)[hybrid-lab.co.uk]; MIME_TRACE(0.00)[0:+]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[182.167.85.209.list.dnswl.org : 127.0.5.0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; IP_SCORE(-1.01)[ip: (-0.31), ipnet: 209.85.128.0/17(-3.00), asn: 15169(-1.68), country: US(-0.05)]; FORGED_SENDER(0.30)[igor@hybrid-lab.co.uk,mozolevsky@gmail.com]; FREEMAIL_TO(0.00)[mail.ru]; RWL_MAILSPIKE_POSSIBLE(0.00)[182.167.85.209.rep.mailspike.net : 127.0.0.17]; R_DKIM_NA(0.00)[]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]; FROM_NEQ_ENVFROM(0.00)[igor@hybrid-lab.co.uk,mozolevsky@gmail.com]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Feb 2020 13:22:01 -0000 On Mon, 17 Feb 2020 at 12:56, Anthony Pankov wrote: > > I think it's dangerous to conflate *application* users with *system* > > users, why would you want to do that in the first place? > > That is the question! > > First of all, I think there was no technical opportunity to conflate > applications and system users at least because uid_t is 65535 max and > lack of custom user properties. > > I can note some Cons for splitting *application* and *system* users: > > - users of one application is not a users of another application by > design. Applications is hard to integrate (yes, there is ldap but...); ... and SASL, and PAM (if you really have to)... and Federation (if you really-really have to)... Why should the OS be "Application Aware"? > - each application has own accounting implementation which enlarge > attack surface. Furthermore, application developers do not really want > to implement any user accounting parts because it is far away from > application functioning. As a result it usually implemented > "somehow". You speak of enlarging the attack surface, but that attack surface is limited to the single application (or a badly designed collaboration of several)! You do realise that if one were to have a universal "user" awareness, then one compromised account exposes the whole system?! The problem you describe seems to be the "lazy app developers" who can't be bothered to do things properly and want to palm off what is essentially the application logic down to the layer below. > - applications users are out of system control. There is a system > users, application users, and daemons. It seems there is no > chance to do the thing really right in mean of access control > of entire system (OS +applications). If the application users are out the system control, then application users cannot interfere with the system, and that sounds like a very sound design! ;-) Best, -- Igor M.