The future of EasyOS: each app running as its own user

Moderator: BarryK

Post Reply
User avatar
BarryK
Posts: 2703
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 132 times
Been thanked: 739 times

The future of EasyOS: each app running as its own user

Post by BarryK »

At least, will do this for apps that access the Internet.

The upcoming EasyOS 3.0 will have new infrastructure for this, see blog post:

https://bkhome.org/news/202109/infrastr ... -user.html

And today I added Chromium:

https://bkhome.org/news/202109/chromium ... os-30.html

User 'spot' will be deprecated!

User avatar
BarryK
Posts: 2703
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 132 times
Been thanked: 739 times

Re: The future of EasyOS: each app running as its own user

Post by BarryK »

Yay, have got SeaMonkey running as user 'seamonkey' and group 'seamonkey' in a container.

Containers run as "crippled root", so had to jump through some hoops to get it to work. When chroot into the container, many operations, such as 'chown' will not work. However, those operations can be performed just before the chroot. This can be automated.

helloworld
Posts: 76
Joined: Thu Sep 24, 2020 3:53 am
Has thanked: 10 times
Been thanked: 9 times

Re: The future of EasyOS: each app running as its own user

Post by helloworld »

The idea of " how Android works. This is how Android works, each app runs as a separate user" is pretty good,but, a easy-to-use permisson manager needs to be released in the meantime.

I saw that example of seamonkey,here is part of it's reference :
"The main thing that the script does is create a special script for running SM, /usr/bin/seamonkey (and the original is renamed to seamonkey.bin). Here is the script:
",
it will change the SM bin name as it says,but a problem will occur if i update the seamonkey, cause the new SM package will replace /usr/bin/seamonkey script with its own bin-file named seamonky.
And here is a another problem not all apps will put files in /usr/bin folder ,they may just put file in /opt or other folders.

User avatar
BarryK
Posts: 2703
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 132 times
Been thanked: 739 times

Re: The future of EasyOS: each app running as its own user

Post by BarryK »

Yes, if /usr/bin/seamonkey gets replaced by upgrading to a later seamonkey, then it will just run as root.

However, seamonkey is in the easy.sfs, and it will be updated by the next release of EasyOS. Users will not update it themselves.

Ditto for Chromium and Chrome, I will provide these as SFSs. When there is a new one, it will be a matter of replacing SFSs. That won't break anything.

I was thinking of creating a "get-chromium" GUI app, that downloads the latest Chromium and converts it to an SFS, then replaces any pre-existing Chromium SFS. Pretty easy for me to do this, it just needs time.

Note: Puppy Linux has capability also, to run any app as user 'spot', and it does the same thing, replace the executable, such as /usr/bin/seamonkey, with a script. So same problem if upgrade.

User avatar
BarryK
Posts: 2703
Joined: Tue Dec 24, 2019 1:04 pm
Has thanked: 132 times
Been thanked: 739 times

Re: The future of EasyOS: each app running as its own user

Post by BarryK »

In the first post in this thread, I introduced a new top-level folder /clients

This has now been dispensed with, and users are in /home, like any normal Linux distribution.

The rationale is here:

https://bkhome.org/news/202109/sfsget-i ... dered.html

helloworld
Posts: 76
Joined: Thu Sep 24, 2020 3:53 am
Has thanked: 10 times
Been thanked: 9 times

Re: The future of EasyOS: each app running as its own user

Post by helloworld »

Well,since it is each app running as its own user/client ,why don't add a firewall config option to the permisson manager to block /allow some apps'network connections.Iptables can block a user from connecting the internet,so if you run a app as this user/client ,the app will be blocked from connecting the internet.Like this,linux can have a firewall based on apps like Windows.

Post Reply

Return to “EasyOS”