Perhaps I am missing something, but what is wrong with leaving Haiku as a single-user OS security wise? You could have a login password, an “administrator”-like password to perform certain functions(like installing software) and folder encryption.
In the case of multiple people sharing a computer at home(for instance), each person can simply create and encrypt their own folder(preventing anyone else from accessing it). Perhaps an “Override” button can be placed on encrypted folders where using the “Administrator”-like password will allow someone to access the contents of the folder and make any needed changes(which would also be useful if someone forgot their password).
This allows users to have their private files, allows one person(usually the computer owner) to have full access to their computer if/when needed and helps control what can be done/accessed on the computer. It could be done without having to switch to a multi-user setup.
As far as someone downloading an encrypted folder and decrypting it later–isn’t that impossible? I have not used encrypted folders before, but I thought an encrypted folder could not be accessed at all–including downloading it. If that is not the case, couldn’t the folders be set up so that someone could not download it once encrypted?
Even in a *nix system, someone with access to your computer can do anything they want with the root password. This setup will at least provide similar security as a *nix without having to try to convert Haiku into a multi-user system.
It just seems to me it would be easier to incorporate this into Haiku and keep it single-user.
Whether it is “users” or something more complicated (like SELinux), an OS should have something that can be used to prevent programs from accessing files they’re not supposed to access. Encrypted folders don’t provide such security - once you open the folder, any program can read its contents.
This is why, for example, you should have separate user accounts for shopping online and for playing games you downloaded from the web. (It’s probably best not to do the latter at all, but you get the point.)
Do you want to have to verify no programs that you closed are secretly still running each time you want to access some private files?
For that matter, do you want to have to close all programs just to switch to a different task for a minute?
So, if Haiku is meant for multimedia workstations that aren’t ever connected to a network, then it is fine to stay single user. Otherwise it needs to be multiuser, or have something better (which would most likely be more difficult to implement, and very confusing for actual users).
Of course the difficulty of having multiple users can be solved by letting another OS on a server take care of it, and use haiku as some sort of thin client OS. But then you’re running an extra computer with a comparatively unfriendly OS just to keep your haiku box a tiny bit simpler…?
In my opinion the lowest number of users that is at all acceptable is 2. A privileged and a limited account. Further, both accounts should be nameable. That way you have to guess two things, name and password (as opposed to *nix where you only have to guess passwords due to the omnipresent root; though sudo can help with that, there’s significant discussion on whether or not sudo is itself a security hazard.) And once you have 2 accounts it’s trivial to add the ability to have several.
Why do I feel like 1 user is too few? Because it means you own everything. Which is a risk that I feel is not abated by having to put in your password or a “root” password. Furthermore, I feel that to an end user, single user is less intuitive. After all, that user owns everything, so why is it that they can’t do whatever they want (without a password.) Also you end up with this weird system where some of your files you need a password for and some not. All in all from a usage perspective, single user is not as simple as multiuser. Nor is it as functional. Many people share computers, and having different accounts can also boost security by segregating tasks.
Now what I would think is a better discussion is whether or not we should be able to log into multiple accounts simultaneously. Put differently, whether we should be multiuser serial or multiuser parallel. Security wise I think serial is better. After all, if you have to logout in order to login as “root;” then you will be quite aware that something important is going on. Considering that bundles are more of a single user install option, there won’t be much need to use “root.” The only time you’d need to use root is if you were making system wide changes; which you should probably cease all activity for anyways. Parallel on the other hand is convenient and allows for a lot of interesting possibilities (see the conversation about multiple inputs to one screen.) Also, if we are hoping to design a system that could truly become like an appliance to a family; I think parallel will be necessary (and perhaps a computer like Microsoft Surface.) Otherwise, unless you have several people who want access to the computer at the same time and they aren’t limited by the fact that there’s only one computer, serial will achieve most of what people will use the computer for.
An interesting security measure, might be to have a “can see it” permission set. Basically, if you go to the folder that a “hidden” file is in, you won’t be able to detect it (the containing folder might say that it is empty, despite having several GBs of hidden files.) Even if you download or move the folder, it won’t go with (a new hidden folder with the same name will be created to house the hidden file.) Disk utilities should be able to tell you that there’s less room on the drive then what you would think, but wouldn’t be able to tell you where it was. This combined with an encryption scheme that writes random data to the blank area and makes the encrypted files look like random data, would make it very hard for anyone to even get a good idea of where to look for the file in question. Of course, this is easier said than done and encryption has its own problems (such as slow decryption.)