Re: Supporting POSIX *users* (was: Re: Does supporting POSIX applications require ACLs?)

[Marcus Brinkmann]

At Tue, 25 Oct 2005 19:17:24 +0200,
<address@hidden> wrote:
> > I'm not convinced that we have to support ACLs.  I think the question
> > needs to be asked: how many applications rely of ACLs?  Many
> > applications just open files and read and write some bytes.  For these
> > applications, the fact that access is granted based on an ACL, a
> > capability or something else is immaterial: if open succeeds and
> > returns a file descriptor to the named file then all is well.
> 
> The most important piece is missing in your picture: The user.
> 
> When RMS decided to go for a UNIX-like system, although he considered it
> inferior, he didn't do so because of existing POSIX applications. (In
> fact, at that time practically no free POSIX applications existed.) He
> did so because of the users who were *familiar* with UNIX, so they could
> easily switch.

If you make the same argument today, you will end up with a graphical
desktop system.  Users today don't know Unix, they know MS Windows.
That's a matter of fact.

The Unix user ID concepts and file system access bits cause
_considerable_ confusion among new users.  This is independent of
their intelligence, commitment, or motivation.  I have seen this
confusion, and it is justified ("execute" allows me to enter a
directory???)

I think you have a much better chance starting with a completely
private desktop (that's a concept people are familiar with), and then
have something like an "exchange box" for capabilities where users can
say: Ok, this file here, I want to give access to it to some user foo.
Or: I want to share this folder here over the network.

These are concepts that human beings can easily relate to.  rwx on
files and directories, plus setuid and setgid bits, and all the
associated pitfalls and race conditions, that's something you need a
grey beard and a hat for ;)
 
> There is no point in building one more completely different system that
> happens to allow running POSIX applications. Shapiro is already working
> on such systems, and probably others. Why would we want to compete with
> those?

I don't understand this argument.  There are plenty of perfectly
traditional systems that implement POSIX.  What's the point of writing
another one and compete with systems like GNU/Linux, BSD, Solaris,
MacOS X, even MS Windows (slowly emerging :)?

Note that the idea is not to compete with EROS, or Plan 9, or similar
systems, but to learn from them.

> What we want is a system that, at least at the surface, *feels* like a
> UNIX system. Of course, as users and hackers become more proficient with
> the Hurd, they will use the advanced non-POSIX features more and more;
> but all this is additional bonus, *not* a thing the users should be
> confronted with against their will.
> 
> The GNU system was to improve on UNIX in non-intrusive ways, and so is
> it's kernel, the Hurd.

I don't see a way to start with POSIX and then improve it from there.
POSIX has inherent insecurities built in.  There are not many, but
they are rather critical, and starting with POSIX and then going from
there doesn't seem to be a good option.  Once a system is insecure it
is very difficult to secure it after the fact.  Just look at the
enormous problems all those projects have trying to secure Linux.

If you have some ideas about this, let us know!

Thanks,
Marcus