Remix.run Logo
progval 6 hours ago

Most programmers and power users install large dependency trees with npm/pip/bundler/... on the same user account as their main browser on a regular basis. Even on Linux where it's easy to create new user accounts. This isn't much different.

chrisandchris 2 hours ago | parent | next [-]

Two bads doesn't give you one good.

brookst an hour ago | parent | next [-]

No, but when you’re arguing that common practices followed by pretty much everyone is “bad”, it’s hard to muster much urgency.

Yeah, we should do this differently. We should probably also eat healthier and get to the gym more.

reactordev 2 hours ago | parent | prev [-]

no, but it does give one multiple vectors for exfiltration of your data which is a good thing for the scammers of the internet. A bad thing if you naively designed your package management system. Sadly, it's only going to get worse.

XorNot 5 hours ago | parent | prev | next [-]

It has never been easy to create separate users on Linux, certainly not for tasks where you need to switch between contexts.

Docker was amongst the biggest steps forward on this in a long time.

seanhunter 4 minutes ago | parent | next [-]

It has always been very easy to create separate users on Linux and certainly for tasks where you need to switch between contexts.

Linux is a unix, so has always been multi-user and sharing any data between processes is facilitated in all manner of ways. So context could be shared over files or unix-domain sockets or shared memory or tcp or udp sockets or via message passing or … a bunch of other ways. That has been the case since 1996 or so when I started using it certainly.

progval 4 hours ago | parent | prev | next [-]

I meant for CLI tasks. Just "adduser" and "sudo -u <user> bash".

brookst an hour ago | parent [-]

And when you want to share some but not all files with that one user but not other users you created for similar purposes?

And when you want the outputs of that user back to your main user?

And when you want that user to access some shared credentials for external services, but not all?

It’s not the account setup that’s hard, it’s the workflow of spreading a single real-world across multiple accounts.

seanhunter 3 minutes ago | parent | next [-]

All of those use cases are very easy to facilitate using filesystem permissions and groups.

gumby 30 minutes ago | parent | prev [-]

That’s what user groups are for.

liveoneggs 41 minutes ago | parent | prev | next [-]

unix (and linux) has always been multi user. It is as easy as it gets for multi-user workflows in every context. It was, literally, built for it.

You can run each of your virtual desktops as their own user. You can run individual apps on the same desktop as different user accounts. Hundreds of separate users can login to the same computer. My own computer, right now, has 40 different user accounts running stuff in the background.

I can't even think of a scenario where using separate users is difficult.

KronisLV 31 minutes ago | parent [-]

> You can run each of your virtual desktops as their own user. You can run individual apps on the same desktop as different user accounts.

Literally never have I ever seen any of the desktop environments integrate this conveniently, albeit CLIs are better in that regard. "You can" isn't the same as "it's the idiomatic approach to doing X". Same with installing packages in a per-user way, so a bad package can't harm anything outside of its sandbox (which in practice you achieve with containers, but those can be inconvenient to work with and you'd probably want VMs for more security anyways). You can have many users, sure, but all it takes is one bad system-wide package, one bad script executed as root (e.g. install scripts, compromised packages) or even not being careful enough with file permissions and things go wrong.

Contrast that to Qubes: https://doc.qubes-os.org/en/latest/introduction/intro.html#q...

Now that was literally built for such a use case (it's based on isolated VMs and works well with Linux distros inside those, really cool project).

vladms 4 hours ago | parent | prev | next [-]

I do not know since when (I am using it for couple of years), but in Arch, it is very simple to have two X sessions (by using "log out" > "switch user") for two different accounts, so switching it's just a Control-Alt-F7 away.

Additionally, one can make the main user part of the group of the development user, so that you can read/write easy in the development user account and it is even easier to share stuff.

eru 3 hours ago | parent | next [-]

It doesn't really matter which distribution you use, you can use approximately all the software with any distribution.

They mostly differ a bit in how they are configured and what package manager they use and how they roll out updates. (And in what's installed by default.)

graemep 3 hours ago | parent | prev [-]

Multiple X sessions has been possible for decades. I think its possible with Wayland too.

You can also start applications as another user so you do not even need multiple sessions.

There are quite a lot of privilege escalation attacks so I am not sure this is sufficiently solid.

wafflemaker an hour ago | parent | next [-]

It's off topic, and it was also possible for decades, but:

you can connect two sets of mouse, keyboard and monitor to one PC and have two people using it, each running their own X session. The true multi boxing!

vladms 3 hours ago | parent | prev [-]

Possible and available without any specific configuration on my side (except creating the user) are different things. I know I managed it many years ago with some effort, but nowadays it was just available.

You are correct that it should not be seen as a perfect protection, but considering the effort to set it up I see it as worth it. By seeing in this thread how many people do not use anything similar (ex: containers, separate users, etc), I hope attackers will just be lazy and target those people first, why bother with a local privilege escalation when interesting data is just in the same account?

4 hours ago | parent | prev | next [-]
[deleted]
consp 4 hours ago | parent | prev | next [-]

sudo useradd -m [username] ?

su [username] ?

Or am I understanding your idea about switching context wrong?

indigo945 3 hours ago | parent [-]

This doesn't really when the CLI tool needs to access any data in your /home. There isn't a straightforward way using standard POSIX tools to share a directory with another user. (Of course it's possible, but it's not easy.)

WhyNotHugo 25 minutes ago | parent | next [-]

> There isn't a straightforward way using standard POSIX tools to share a directory with another user.

* chmod lets you share with everyone

* addgroup and chown let you share with a specific group of users.

grosswait 2 hours ago | parent | prev | next [-]

Then you set up a shared directory with common group permissions

tempfile 3 hours ago | parent | prev [-]

If the CLI tool needs to access arbitrary data from your home directory, then it is you. There is no security boundary between you and another user with full access to everything you own.

If you want to share specific directories, you can just put the shared directory in a common location, set it to be owned by some group, and make both users a member of that group. I don't see anything not-straightforward in there?

delamon 2 hours ago | parent [-]

Or even use acl(5), which is simplier than making arbitrary groups.

j-bos 3 hours ago | parent | prev | next [-]

While I agree, containerization is awesome, on linux, you can just create a devUser and `sudo devUser theThing`

reactordev 2 hours ago | parent [-]

not the same thing. Containerization prevents devUser from accessing your machine root with its root. By containerizing, if devUser tries to sudo or su and gets a root, it will only be their root and not your root. Read up on cgroups.

progval 2 hours ago | parent | next [-]

Successful sudo from a cgroup still makes you root on the machine. What you want for this is user namespaces, not (just) cgroups.

reactordev an hour ago | parent [-]

yes, you would setup namespace and unshare it once mounted to isolate the sandbox so root only sees the sandbox / and not your /

grosswait 2 hours ago | parent | prev [-]

Why would you allow devUser sudo?

reactordev an hour ago | parent [-]

normally you wouldn't but there are some instances where a script or something requires sudo in which case you would need to namespace the cgroup and do a little more work to prevent escaping the sandbox. I can think of a few cases where sudo is required for cgroups/containers from the sandbox side so it can install services and things but ideally you would isolate everything to the devUser UID or GID.

hansmayer 2 hours ago | parent | prev [-]

[dead]

shaky-carrousel 5 hours ago | parent | prev [-]

Most programmers use docker or don't install extensions unapproved by their company.

_joel 4 hours ago | parent | next [-]

That's patently not true, source, me, a DevOps manager who has had to roll out proper docker and security policy for devs for the past 10 years :)

kelnos 35 minutes ago | parent [-]

Your anecdote does not make GP's comment "patently untrue". It's just a counter-example, and we don't know how prevalent your scenario is compared to GP's.

(And I agree with the GP. I'm fairly cynical about most developers' security stance and threat model. Source: my own usage patterns.)

iamflimflam1 5 hours ago | parent | prev | next [-]

I think you should clarify that with “most programmers I work with”.

shuwix 4 hours ago | parent [-]

He should clarify that "most" can be easily replaced by "all" as it was determined by statistical pool of whopping 1 person - himself.

And also clarify that it's all lie. He just want to tell the anonymous crowd "look, I'm better than you".

shaky-carrousel 3 hours ago | parent [-]

You should also clarify that you pulled your statements out of your butt to look edgy. Everyone in every team I worked for the last ten years use docker. Docker is old tech. If you and your cavemen devs ignore what it is, that's your problem.

shuwix 2 hours ago | parent | next [-]

I hit the nail hard considering you went ballistic.

Keep making up stories how you use best practices only and do everything by the book.

I bet my testicles that in similar fashion, you are lecturing others on IAM while you store credentials in notepad and swnd it via mail. And lectures about backup, RTO, RPO, while you don't have any systematic backup and never heard about use of geographicaly isolated backup, or WORM.

kelnos 33 minutes ago | parent [-]

I don't think the GP said anything about their own practices, just their impression of the majority of devs.

Maybe turn down the temperature on your vitriol a bit?

_joel 3 hours ago | parent | prev [-]

Docker is old tech, yes, doesn't mean every dev in the world uses it. They don't. Jails/zones are even older (hell a chroot). Did developers all use those before due to them being 'old tech'. No.

Izmaki 5 hours ago | parent | prev [-]

In my experience more than 9/10 programmers I've worked with have never used Docker before and of those who have, the majority have never used Docker for anything personal.

If I hand them an image for a Dev Container, sure, they might use it, but it becomes "a thing we need to do, to compile our code in our IDE" not a tool they would use for isolation*.

*) OP seemed to imply that containerization would be nice for safety and security compared to bare metal, but containers were never built for isolation in the first place, mind you. They are namespaces and chicken-coop-like-jails at best.