Page 1 of 1
The future of EasyOS: each app running as its own user
Posted: Wed Sep 15, 2021 1:41 pm
by BarryK
At least, will do this for apps that access the Internet.
The upcoming EasyOS 3.0 will have new infrastructure for this, see blog post:
https://bkhome.org/news/202109/infrastr ... -user.html
And today I added Chromium:
https://bkhome.org/news/202109/chromium ... os-30.html
User 'spot' will be deprecated!
Re: The future of EasyOS: each app running as its own user
Posted: Thu Sep 16, 2021 2:46 am
by BarryK
Yay, have got SeaMonkey running as user 'seamonkey' and group 'seamonkey' in a container.
Containers run as "crippled root", so had to jump through some hoops to get it to work. When chroot into the container, many operations, such as 'chown' will not work. However, those operations can be performed just before the chroot. This can be automated.
Re: The future of EasyOS: each app running as its own user
Posted: Sun Sep 19, 2021 1:13 pm
by helloworld
The idea of " how Android works. This is how Android works, each app runs as a separate user" is pretty good,but, a easy-to-use permisson manager needs to be released in the meantime.
I saw that example of seamonkey,here is part of it's reference :
"The main thing that the script does is create a special script for running SM, /usr/bin/seamonkey (and the original is renamed to seamonkey.bin). Here is the script:
",
it will change the SM bin name as it says,but a problem will occur if i update the seamonkey, cause the new SM package will replace /usr/bin/seamonkey script with its own bin-file named seamonky.
And here is a another problem not all apps will put files in /usr/bin folder ,they may just put file in /opt or other folders.
Re: The future of EasyOS: each app running as its own user
Posted: Sun Sep 19, 2021 3:22 pm
by BarryK
Yes, if /usr/bin/seamonkey gets replaced by upgrading to a later seamonkey, then it will just run as root.
However, seamonkey is in the easy.sfs, and it will be updated by the next release of EasyOS. Users will not update it themselves.
Ditto for Chromium and Chrome, I will provide these as SFSs. When there is a new one, it will be a matter of replacing SFSs. That won't break anything.
I was thinking of creating a "get-chromium" GUI app, that downloads the latest Chromium and converts it to an SFS, then replaces any pre-existing Chromium SFS. Pretty easy for me to do this, it just needs time.
Note: Puppy Linux has capability also, to run any app as user 'spot', and it does the same thing, replace the executable, such as /usr/bin/seamonkey, with a script. So same problem if upgrade.
Re: The future of EasyOS: each app running as its own user
Posted: Sun Sep 19, 2021 3:24 pm
by BarryK
In the first post in this thread, I introduced a new top-level folder /clients
This has now been dispensed with, and users are in /home, like any normal Linux distribution.
The rationale is here:
https://bkhome.org/news/202109/sfsget-i ... dered.html
Re: The future of EasyOS: each app running as its own user
Posted: Mon Sep 20, 2021 8:58 am
by helloworld
Well,since it is each app running as its own user/client ,why don't add a firewall config option to the permisson manager to block /allow some apps'network connections.Iptables can block a user from connecting the internet,so if you run a app as this user/client ,the app will be blocked from connecting the internet.Like this,linux can have a firewall based on apps like Windows.