A different kind of bad week [LWN.net]

A different kind of bad week

Posted Sep 26, 2003 12:51 UTC (Fri) by Wout (subscriber, #8750)
In reply to: A different kind of bad week by cross
Parent article: A different kind of bad week

>> On a desktop system, there is usually one user.
>
>Depends. Many households have one PC which is used by more than one user.
> It's sensible for each of them to have their own accounts, settings, preferences etc.

Yes, but my point is that user files are the most important thing on a desktop system. Yet important as they are, they are also the most vulnerable to viruses and such.

>> What we need is some kind of seperation between user programs that
>> receive untrusted (possibly malicious) input (eg. mail clients) and the
>> user's files. I don't know how that could be implemented without
>> annoying users though.
>
>It's fairly simple. Create a new account solely for the email program. Put yourself and that account in the same
>group (creating it for the purpose). For the sake of argument, "mymail". Make sure that the "mymail" account
>is group readable and writeable, make sure that your account isn't. Now even a malicious executable that your
>email client actually executed wouldn't be able to cause any damage under your home directory let alone
>systemwide. It does mean that if you want to send a document or other attachment you first need to copy it to
>the mymail's home directory. But that's why we made it group writeable.

This is the kind of solution that techies can use, but that are impractical for most other people because they don't understand file ownership, accounts and groups. What you need is protection that is invisible until the user requires it, which is exactly what a snapshot based system can provide. It even provides protection against the quite common case of people accidentily deleting or overwriting their files.

(Log in to post comments)

A different kind of bad week

Posted Sep 26, 2003 14:46 UTC (Fri) by cross (subscriber, #13601) [Link]

> Yes, but my point is that user files are the most important thing on a
> desktop system. Yet important as they are, they are also the most
> vulnerable to viruses and such.

We agree completely on this point.

> This is the kind of solution that techies can use, but that are
> impractical for most other people because they don't understand
> file ownership, accounts and groups.

If you can't explain it simply, you don't understand it well enough (Albert Einstein). The analogy I use is rooms in a house. Even very young kids understand "this is Jamie's room, you don't go in there unless he says it's OK". It's trivial then to grasp "this is Jamie's directory, you can't go in there".

> What you need is protection that is invisible until the user requires it

Which basically means that the installer should take care of it. When you choose "create new user" in your GUI tool and check the "setup mail" box it should create the "jamie" account, the "jamiemail" account and the "jamiemail" group, make a link in Jamie's home directory to "/home/jamiemail" so that Jamie can see it and knows that's where he puts things he wants to email to someone else, or save things some else sent him. You do need to explain that he doesn't leave things there if he wants to be sure they'll still be there tomorrow, but using the previous analogy, that's the difference between putting things away in his room and leaving them out in the back garden. Chances are nobody will come into the garden that night and take them, but they might. It's a concept easily grasped.

Is this non-obvious? Do you think it's non-obvious enough that I could get a patent on it? ;-)

> which is exactly what a snapshot based system can provide. It even
> provides protection against the quite common case of people accidentily
> deleting or overwriting their files.

It's a very good idea, and something that should also be done. But it's a solution to a different problem.