On Wed, Feb 21, 2024 at 01:22:55AM +0000, Matthew Wilcox wrote: > On Tue, Feb 20, 2024 at 07:25:58PM -0500, Kent Overstreet wrote: > > But there's real advantages to getting rid of the string <-> integer > > identifier mapping and plumbing strings all the way through: > > > > - creating a new sub-user can be done with nothing more than the new > > username version of setuid(); IOW, we can start a new named subuser > > for e.g. firefox without mucking with _any_ system state or tables > > > > - sharing filesystems between machines is always a pita because > > usernames might be the same but uids never are - let's kill that off, > > please > > I feel like we need a bit of a survey of filesystems to see what is > already supported and what are desirable properties. Block filesystems > are one thing, but network filesystems have been dealing with crap like > this for decades. I don't have a good handle on who supports what at > this point. I'm not sure it's critical. 9p supports it already. The big one is NFS, but if this takes off getting it into the next version of NFS or as an extension is going to be the easy part. The critical part is going to be coming up with the new syscall interface, and figuring out the compatibility shims so that the minimum amount of userspace has to be modified to take advantage of it, and figuring out what the compatibility code so that non username aware code does something sensible. But with filesystem support, so that we're persisting usernames and those are the source of truth and old style UIDs are just ephermeral, that part looks tractable. I'm glad the container people are looking at this are already, and I hope they're up for something even more ambitious :) I'd love to kill off the problems with integer identifiers once and for all. One of my professors way way back, who was a big influence on me, made the point that the purpose of the operating system is to virtualize the hardware, so that every program can pretend it has the whole machine to itself. Hence things like virtual memory, and filesystems that let you recursively divide your storage. But that job isn't complete until the operating system lets you recursively subdivide every resource it provides, physical or virtual: hence containers and namespaces. Hence - 64 bit identifiers aren't enough, if we're going to solve this once and for all it's got to be a variable length path. > As far as usernames being the same ... well, maybe. I've been willy, > mrw103, wilma (twice!), mawilc01 and probably a bunch of others I don't > remember. I don't think we'll ever get away from having a mapping > between different naming authorities. *nod* There will still be situations where remapping is needed, but name <-> name mapping is way easier for users to deal with than integer <-> integer. Also - I'd like to get some security model people involved with this, if anyone knows the right people to loop in. That's the part that's the most interesting to me (and what motivated me to post this the other day was Al bitching about apparmor on IRC). I think, in hindsight, that we grew a lot of this strange security model stuff that doesn't at all fit with the Unix security model for the simple reason that creating new permissions domains is just not something you do on an as needed basis, as a normal user. The next natural thing to do with permissions is to extend the permissions model with rwx bits for - parent of current user - subusers of current user ...and probably various acl variants of these. There's some interesting territory to be explored there for sure.
