is there a future for user accounting (getpw* replacement)
Anthony Pankov
ap00 at mail.ru
Mon Feb 17 12:56:57 UTC 2020
Здравствуйте, Igor.
Вы писали 17 февраля 2020 г., 15:01:14:
> On Mon, 17 Feb 2020 at 11:15, Anthony Pankov via freebsd-hackers
> <freebsd-hackers at freebsd.org> wrote:
>>
>> Greetings,
>>
>> I'm wondering has anybody any thoughts about user accounting
>> provided at the system level?
>>
>> It seems that getpw* doesn't suit the needs of application services.
>> All applications has some external/internal mechanism for storing and
>> retrieving user properties (settings, roles etc). Furthermore they
>> implement own security policy based on this mechanism.
>>
>> Mostly it is done via LDAP connection or internal store (as for database).
>>
>> It seems that all application developers will be more happy if OS will
>> have a few functions to do the things such as:
>> - list users of some type;
>> - get user properties specific to application;
>> - get user roles specific to application
>> -?
>>
>> Does anybody has thoughts about what OS must provide to keep
>> applications consistency and make developers happier?
> I think it's dangerous to conflate *application* users with *system*
> users, why would you want to do that in the first place?
That is the question!
First of all, I think there was no technical opportunity to conflate
applications and system users at least because uid_t is 65535 max and
lack of custom user properties.
I can note some Cons for splitting *application* and *system* users:
- users of one application is not a users of another application by
design. Applications is hard to integrate (yes, there is ldap but...);
- each application has own accounting implementation which enlarge
attack surface. Furthermore, application developers do not really want
to implement any user accounting parts because it is far away from
application functioning. As a result it usually implemented
"somehow".
- applications users are out of system control. There is a system
users, application users, and daemons. It seems there is no
chance to do the thing really right in mean of access control
of entire system (OS +applications).
- etc.
--
С уважением,
Anthony mailto:ap00 at mail.ru
More information about the freebsd-hackers
mailing list