ioctl() is awful, everyone agrees. It's not virtualizable, it's not 32/64
compatible, it's not typesafe (as you said), it's thoroughly opaque...
The way to structure this is to put your controls in a directory, or a set
of directories, one file per control, rather than using ioctl() on a
single file with different requests. The way you solve the 'remove this
user' is to create these directories on the fly, and zap their contents
when the user logs out: even if the user retains a handle to the
directory, it's empty now so they can do nothing with it. (You might need
a simple non-device revoke() to do this properly, such that all I/O to an
ex-session fd returns -EIO, but this has already been written: it just
hasn't been applied because it's difficult to make it work with things
like PTYs. For this application, we don't care about that at all). Plan 9
did all this two *decades* ago and got it right: why can't Linux do it
It's not even hard to make a system that works like this in userspace,
thanks to FUSE.