Return to Level1Techs.com

[systemd-homed] Systemd's new concept for User Management

Not sure if it was mentioned yet, and i couldn’t find it, so:

Systemd is planning to extend it’s usecase to usermanagement. Both in terms of Credetial/Login Management, as well as Userdata.
Since systemd is more or less the defacto standard by now, i’d assum most distributions would implement this, once done.

Since there will probably be enough people pointing out the negative stuff and be anti-systemd, i’d like to point out some interesting positive points:

  • In the intended system, your /home directory would be an encrypted LUKS container, as i understand it. Encrypted with your user. That means, encryption by default, that automatically decrypts on login and encrypts on Logout or Screenlock. Yay for more encryption that’s default and easy to use.
  • Your User and /home become a single entity with everything collected in a single place. This would allow easy portability of your User with all the Settings, permissions and everything else attached. You could litterally have your Entire User on a stick, work at work, pull that out and move it to your Home PC. Log in with the same credentials, have the same data and the same permissions at a completely different machine.
    This could also be interesting in Office environments, where BYOD is getting more of a thing and people often move between workstations.
  • There would now be a single place where any and all authentication could hook into, and one place where an Admin can change permissions, quotas or Settings for any user.
    So instead of crawling through 4 different places to change the name, Home folder, quota or Sudo permissions, all would be in one place.

I know that this is a bit away still. And i also know, that a lot of Linux “Old-Timers” aren’t to fond of systemd specifically and centralization of functionality in general.

Me, being pragmatic and without historic prejudice think it’s a good idea that someone looks at the current way users are handled and maybe brings some fresh ideas into that realm. The current system has been around for a long time, security requirements have massively increased and systems got more complex since it’s original inception. Maybe it’s time for a change…

5 Likes

ive learned to semi like systemd. however it goes against the philosophy of “1 program 1 task” . if we have systemd doing everything, then perhaps it is no better than windows?
additionally more features/functions introduce (potentially) more bugs and security exploits, as well as being harder to maintain, much like windows.

personally i have 2 issues with systemd. the log file is a binary file and not a text file. makes it a bit harder to view from a live distro if the system becomes borked and rescue is needed. the other is it tries to do to much IMO.

1 Like

Can we PLEASE keep Windows out of this.
It’s got nothing to do with it.

It does. And i personally don’t care. It’s a “guideline” developed 30 years back by people trying to write an OS. It’s incredible that it worked so far, but it’s also only a guideline. There is no technical reason for it to be the only way it could work.
It’s also not objectively better. Just a different approach. And i’d disagree that it makes it more complex. Having the same functionality spread in 10 tools maintained in 10 codebases by 10 groups of people all trying to work together isn’t better or worse than pulling it all together under on codebase. It’s just a different approach.

Or would you also like to have one editor to input text into documents and another one to edit text? Maybe a third one to Format it… See what i mean? What is 1Task?

3 Likes

I think the ideas are interesting, but, I wonder how that would work with a centralised user account database, you know, that most organisations use nowadays? Also I think relying on an encrypted home directory like this is inviting for trouble - What if keys are lost for instance?

Most of every day security is about keeping spambots, miners and rootkits off the system. Encrypted filesystems usually only helps against a physical attack, so the gained security would be pretty negligible.

The thing about “do one thing well” is that it leads to programs that are easily interchangable. At this point, if you were to replace systemd with a better init process, you’d have to replace the entirety of systemd, thus ripping out logs, hardware monitoring et cetera. This is why I am a big proponent of slicing systemd up into more managable chunks.

Apart from that and the more-sensitive-to-bitfaults binary logs (easily mitigated, just configure systemd to spew proper logs too), I think systemd is fine.

2 Likes

It wouldn’t. It’s a complete redesign of how Users are handled. Ergo centralized User Management would also need to be redesigned. Same for SSH.

How would you “loose” them if the key is your useraccount. It exists or it doesn’t. But as said, technical details are sparse at the moment, so who knows how it’ll work.

Encrypting Filesystems on all machines is an integral part to security in Businesses. Yes, miners and other exploits are much more prevalent, but keeping someone from physically accessing data on your device it pretty important too. Saying “Nah, don’t bother because other areas are much worse” isn’t the right way to go about things. Especially when the tool you develop can do jack about trojans.

Encrypting at a user level would also protect against accessing sensitive Data on multi user systems without to much setup fuss.

I still question what “one thing” is. It feels like a very arbitrary definition when vim is allowed to have a file browser (netrw). In all the discussion i get the feeling that this philosophy is mostly a talking point for not having to adopt new things.
I’ve yet to see a reasonable technical explanation for why it’s objectively better

Then you need to read The art of UNIX programming by Eric S.Raymond.

The basic gist of it is, by keeping things simple, a lot of complex things become simply a string of simple commands. It’s the same philosophy as CISC vs RISC.

I do agree both vim and emacs stray from this thought; emacs is more in line with it though, because emacs is built in a modular fashion where one module does one thing and… Atleast tries to do it well. :wink:

1 Like

Ok, but now you’re arguing for “simple”. I was specifically asking for “better”. Simpler is not always better. Otherwise we’d all still be programming assembler, which we don’t (mostly).
I’ll try to read your link, but this might take some time :wink:
But that’s the entire point. All the “Unix philosophy” proponents are mkaing this a philosophical discussion, which is fine to have, but not very pragmatic. We can argue about it all we want, but sometimes is just a question of getting the job done, not getting it done by adhering to a specific set of arbitrary rules.

I’m sure adoption of this new “technology” would imply that it brings an improvement to the table in some form. If it doesn’t, or is technically worse, i doubt it’ll find wide adoption. So, let’s just see what comes out of this.
I personally just think that questioning long standing principals can be a way to success and change that might be needed.

i like using systemd as an init system, and i find making background tasks into services very useful. but other than that, i don’t use too many features of systemd. i want to continue my current practices with user management but stay up to date. will this future systemd include an option to revert to the users system we all know and love?

I would totally script this and have an uploaded cloud version, then if something happens to my stick, I can download my data and be back in action on the USB.

Overall it is something that is very cool and something simple.

3 Likes

Good question. Judging by how they handle services, there could be an “interface” layer, that translates your old configuration to new systemd-userd stuff. So, you make your changes as always and systemd makes that into what ever the new system is. But, who knows.

Noooo, not The Cloud dun dun duuuun… I like the separation of church and state, by having home on a separate drive to root, so I can just bin the install and have my stuff, but I don’t want to run an online VPS/ownclowd…

The madman actually did it!

I’m very interested in seeing how it’ll work out.

2 Likes

this would totally screw up the way I handle things on my end. I do not want systemd encrypting my home directories or handling home in any way.

systemd already makes logs harder to deal with as well as problems I have run into with init (systemd starting sddm too early for instace).

It’s much more obfuscated.

This sounds like systemd trying to take over like windows regsitry. registry is terrible and we don’t want this crap in linux.

1 Like

But that’s the entire point. All the “Unix philosophy” proponents are mkaing this a philosophical discussion, which is fine to have, but not very pragmatic.

You’re thinking like an end user, and that’s fine. You should have that option. Systemd is perfectly suited for a Linux desktop or laptop. This systemd-homed feels very laptop oriented.

But these are core system functions that have substantial impact on system builders, derivative distributions, infrastructure maintainers, and hobbiest hackers (like people who join tech forums for fun :slight_smile: ).

“Just redesign SSH” works as well as “just adopting IPv6”.

The hate for systemd is stupid (and the hate for Pottering is insane), but the need for alternative inits is real for any use case that isn’t “connect your Linux laptop to your Linux SaaS instances”.

End users don’t need to care, but I wish people designing distros would takes that into account. I wish hobbiest hackers would stop hating on systemd and start talking about how awesome OpenRC and Runit are.

I am not knowledgeable on Init on SystemD, what they do, why one is better or worse than the other and so on, but I like reading about it when ti makes sense and new stuff is always interesting. I would love to see a post explaining OpenRC and Runit in comparison to the above two as well, just so that information is there and maybe a few people try it and report back too.

None of it is of any consequence to me but more information is always good.

So, read the article, and a bit confused, regarding same user on several concurrent machines.
How might one sync files between machines?
It reads like the user might log out of one machine, then move the userfile/partition/device/unicorn to another machine, and then it will just work?

Sounds fun in that limited use case, as I guess it saves having to set up the user on each machine, which is cool

And it looks like they will make SSH work differently on systemd/linux distros, which are the majority, maybe even some BSD’s?

But I R Confuse, and it is 02:28, so off to bed I go

Sounds like the experience folks have on chromeos today.

When you login, you get access to stuff, when you logout you don’t.

I’m more curious about the portability aspect, how user settings will be interpreted as your home dir moves across machines with different system images.

1 Like

This versions of do one thing was never true for Linux since its invention. Even then saying systemd doesn’t follow this the do one thing well mantra is like saying gnome doesnt follow this because all the gnome packages are under the ‘gnome’ umbrella. There isnt one program called systemd which runs eveything inside of it. Systemd is made up of several programs, 69 as of 2013 just like gnome is made up of hundreds of programs.

Taking this view is a simplistic and flawed view.

This is what systems does.

Systemd has done great things for Linux. We’ve moved from a crippled ecosystem of ‘choice’ to a system where Linux distributions have angered on a good set of base components which are for the most part the same across platforms. Were at a point for one in Linux’s existence where you are starting to be able to build programs which run the same on different distributions.

This improvement for user management is interesting, and i think could be quite beneficial to Linux. Might actually bring us into 2019 with the rest of the world, because for now, Linux has been sitting a decade behind in reality.

1 Like

SystemD has caused anger all right :joy:

And a normie who has no idea why one is better than the other this is the best reasoning I have read about he whole init / systemd thing. Anything that can help Linux not be a quagmire of options and never ending what ifs is a good thing.

1 Like