Dunno, I'm putting this out there in case anyone has done more thinking on it than I have.
Basically all depends on what tradeoffs you want to make!
@jbauer Even working out how to stop programs from trashing a user's home directory is an interesting puzzle in permissions.
Clearly the user should be able to make a program save there, but a program shouldn't be able to do it on its own, so the program "saving" and the user pointing at the location to save actually have to be on different security layers (in some vague way).
@jbauer here’s the wikipedia page to get you started
@jbauer it’s like instead of having a heirarchy of power, every element of the system is able to individually give or refuse consent, or delegate that ability out.
@jbauer consent can be any user action that gives a clear intent for one element of a system to have access to another. e.g. selecting text and hitting “copy” implies some access to the clipboard, for that one action. a little pop up that asks a yes or no question should be an absolute last resort.
@zens @jbauer It's a bit long, but this article, to me, absolutely nails the explanation of ocaps: http://habitatchronicles.com/2017/05/what-are-capabilities/
If you are interested in capability-based things, there's a crowd of us scattered around the fediverse. :D
@jbauer totally read this as "user is being a tool" and started snickering
I think to make any progress on this we'll have to just stop *thinking* about user accounts. User accounts are for separate humans; abusing them to separate applications is a hack.
I feel like computers - at least client-side ones - are largely single-user these days. I wonder if there's still any point to multi-user support. Abolishing it and giving the user full root, and using hypervised VMs or containers or something for interhuman separation if you need it, seems worth thinking about.
You want a capability system or something resembling one, but I have absolutely no idea how to make capability systems ergonomic. UAC tried and it was bad. Phone app permissions tried in a different way and it was less bad but still bad, and it's getting worse as unrelated permissions get merged together as a hack over side channel attacks.
@jbauer To do better, you need to actually *define* a security model, and that's nearly impossible because literally all the concepts involved here are vague and fuzzy. Like, what are you even giving permissions *to*?
It's not just users, that's the existing Unix model (without apparmor/selinux/etc.) and it has the thing where everything run as a user has the full rights of that user.
It's not processes either. This would be near-optimal in terms of control, but that was UAC and nobody liked UAC.
(edit: no, it's also not near-optimal, I forgot web browsers were a thing)
An application is a single binary, except when it's multiple binaries calling each other, and obviously `cat passwords.txt` run as a subprocess by a human-controlled shell should have different permissions than `cat passwords.txt` run as a subprocess by Totally Legitimate Free Game 2022.
And if you get fancier than that ("what if the entire OS was smalltalk objects with individual capability sets"), you're making users think about implementation details instead of using the computer, and blah.
Burn it all down, start over and just don't invent malware this time.
@emily @jbauer I think the answer is going to be some abstraction layers we don't know how to describe yet, built up from small objects with fine-grained capability sets. I don't see how anything less flexible can express all the variations on what humans want, but indeed, bothering humans about implementation details and making them build mental models of security technology is not going to get good results for the defenders.
Revel in the marvels of the universe. We are a collective of forward-thinking individuals who strive to better ourselves and our surroundings through constant creation. We express ourselves through music, art, games, and writing. We also put great value in play. A warm welcome to any like-minded people who feel these ideals resonate with them.