Hi. I’m not very familiar with Haiku internals and what security measures are implemented in recent beta, but I think it should have some protection from software running on it. Multi-user or not.
My idea is that it shouldn’t even have such thing as root user with full permissions. It should have admin account like Windows, which still isn’t fully privileged. Software running on it would have to comply with user-defined policy (or presets, in most cases). If program tries to access some resources it shouldn’t have or write files where it shouldn’t, kernel would check policy and perform one of the actions, set by user:
- Ask the user for permission (like UAC)
- Log the request
- Deny it
- Allow it without any further action (like it’s now)
Some of the requests that would require it are:
- accessing keyboard input and screen content outside of owned windows
- installing new programs, kernel add-ons, certificates
- using camera/mic
- editing config of other programs and system files
- reading/writing directories that are protected by user (for instance, GPG)
- inject libraries into other processes, reading their memory
Probably there are more situations, but they’re the most basic ones.
I know that many Haiku users would be against it, because it would get in their way sometimes and be annoyance. That’s why there should be also a “Allow all” preset. Probably it should be even opt-in rather than opt-out.
I don’t know if it would break POSIX implementation or would be difficult to implement, but it’s just a proposal. What other security measures are planned in the future?
Security aside, I do not think that there should be anything an admin can’t do. Almost nothing is worse than the pre-installed windows apps in a hidden inaccessible folder that I can’t get rid of in Windows 10/11. Needing administrator verification, or warning about messing with system files is OK. But I should be able to mess with them if I choose.
That’s why there should be policy and Yes/No prompts. You could just disable this feature, change the level to less aggressive, allow some cases or whitelist programs.
Just click on the Security Settings icon and switch the preset. The menu could do also other stuff in future.
was/is/will be ever
THE WORST Windows-type implementasion of an another OS developed features that works well there - BUT DOES NOT work well on Windows which just annoys/blocks instead of prevents anyone from unexpected results in a well designed way or add higher privilige when needed. It’s obvious who knows better how miserable the NT ‘win’ technology if you are not an admin level on your own PC. I iterate it - as important : on your own PC, aka Personal Computer.
That was my one of first act to disable it after Win7 was installed for me or for my familiars.
So no thank you – UAC-like stuff never needed on Haiku.
Please wait patiently till multiuser will be developed on POSIX base - that have much room for improvement.
Until then please stay on Linux, BSD, etc. … anything else that has such solutions.
There are many who patiently awaits also wider multiuser support - even application developers here.
We do what we can do - as users daily runners like me … or casual ones who are poking time-to-time nwer and newer betas / nightlies.
Once the development team gets a security oriented developer I’m sure this fraction will be also quantum leap improved - just as it done during beta3 and now beta4 as well.
If you would have searched the forum better for this topic, then you could have read about a ton what written how multiuser support can be expected in the near future.
Fore core team - understandably - more important to maintan and improve general reliability of Haiku and native services … as they are as many they are and they have limited time as well as they do it in their free time that they had not spend faimily and other relaxing activities then development.
Against it 2021 and 2022 was full with new features developments thos enabled more network related improvements (WiFi enhancement, browsers and services availability within browsers and besides), and application/services ports which are written originally for other systems.
Basic reliability improvment (memory management, several cache usages of FSs/ apps/layers , locks management in kernel and userland, filesystems support , Haiku install , EFI and new architecture’s alternate HW elements better support ) also required as meanwhile RISC-V and ARM support emerged to much closer to an installable Haiku image. As those architectures not so PCI - centered those require to re-design the approach of driver management / development refactoring besides existing difference some drivers written in old way and soem of them in new layout. Those should be merged menwhile the new design less comlicated to be easier write / implement new drivers meanwhile logic adapts to several CPU architecture (mainboards) those far each other even in case supportable firmwares (BIOS, EFI, open firmwares, in some cases additional OS loaders).
If you have some aquantainces with C++ programming skills and POSIX security related expertise – parches would be welcomed.
There are rooms for improvement on basic level too.
I don’t have a lot of thoughts as my personal experience in no way lends itself to expertise. However I feel user access controls could be handy if you either don’t trust yourself or software you are installing not to compromise yourself. I feel if there is this measure maybe it is as simple as a safety switch that you could even have as a widget or deskbar icon.
For me, I would never use the feature. My computers are pretty purpose specific and I don’t have any other users. As well, they are not always on. My Haiku machine is not ‘always on’ and with as fast as it boots, it doesn’t need to be (for me anyways).
This is a good feature to contemplate as it opens up a bigger door to the anticipated uses of Haiku. For me personally I don’t see Haiku as a severesque multi user environment. It’s one of the things that really turns me off about using my Linux Mint computer as my daily driver.
In later versions of Windows the concept that there was a layer I couldn’t see, control of override infuriated me. I understand this constraint as I type on my corporate issued laptop while at work but at home, the fact I wasn’t able to really tear into the system and make a customization always sat heavy with me.
Do we anticipate Haiku ever being used in an environment where things are locked down? If so let’s please not do it by default and make it a very clear and very easily toggled option. Haiku has such a friendliness about itself right now and has the capacity to turn a user into a power user in ways Windows won’t allow and Linux may scare away.
Again, all my own opinion
“Security and BeOS: The Media OS
A State of the Art Security Report on the Pre-Release of
The BeOS Networking Environment (BONE)”
It’s not to disallow user customization or breaking everything. It’s to prevent malicious code from doing any damage, unless user wants it.
It’s obvious that WebPositive shouldn’t edit system files or see what user does outside a browser. But Tracker should at most warn or do nothing even when user is breaking system.
That’s why packages should come with policies that would be visible in HaikuDepot. Camera app should be able to use cam/mic without any prompt, but internet access could require a permission from user. If something isn’t written, it’s using default permissions set by user which can allow everything or nothing at all.
Scripts can be also malicious or ran from other programs in order to bypass the protection. In that case, the should be a one-time sudo-like command that gives permissions to the shell until execution ends or it executes unsudo. If it’s user executing commands in terminal (and not npm doing that), then it should bypass it.
Security managers would be about to install policies and bypass them. One of such managers is package manager and security settings.
This way it’s hundreds time more convenient and secure than both Windows and Linux security models. You only get yourself and your utilities modifying OS and don’t get prompted at every move. Privacy is also protected by it.
One other thing that could be done with it is VPN and proxy. Packages like Tor would have “unrestricted internet access” privilege and everything else would have it restricted to SOCKS proxy if user would want it. IP leak is prevented this way. VPN kill-switches would also not break themselves like they do sometimes.
As long as the thing comes all disabled by default, and the setting for enabling it is in a text config file to be edited in the Terminal, it could be somewhat ok.
But all of this inconvenience doesn´t help the user, and tends to get people just trained to ignore it, like those prompts from Android, where you seem to derive the idea of “Camera asking permissions”. People just tend to consider those security prompts as one more thing to just “click away” so that they can use their sofware/computer the way they want, not like some marketing guy somewhere decided.
Haiku still needs more work in areas much more necessary than this. Not that your ideas don´t have merit, but simply is not the time, and also that too much “security” would turn up being something that just turn people away from the OS because of too much bothering. Takes away the fun of exploring, breaking and fixing things.