Let's take a little trip along this thought experiment. A recent addition to the Linux Kernel (and now others) is FUSE, an interface that allows filesystems to exist in user space and have applications still use the kernel API to access them. What if we were to make a per-user filesystem, and make all of that user's processes chroot from it? A dynamic chroot jail.

This user filesystem could achieve a few things. It would provide additional security in that applications couldn't even see files that they shouldn't need. /etc simply doesn't exist. This problem should normally be solved by having reasonable permissions, but this would mean that an administrator accidentally going chmod 666 /etc/passwd couldn't result in any issues. /tmp could be mapped to a random directory for the user, something like /tmp/user-AF832BF, and so if a program had a temp file sharing vulnerability, it would be unexploitable.

We would also be able to simplify the filesystem such that things like /var and /etc and /sbin simply wouldn't exist to the user. We could also rearrange the filesystem some making a /Desktop and /Documents so that they're easier to find. (heck, Linspire could even call them My Desktop and My Documents)

I think another advantage would be to give network managers an easy way to move and configure user home directories. Instead of your home directory being /nfs/us/california/los_angeles/users/ted all of that would be hidden by the FUSE filesystem. Yeah, that can be done with symbolic links, but because different applications handle them differently (and many expand them) it still creates a confusion for users.

This would also give an easy way to start standardizing how things like local caches are handled. It is foolish that every application handles these themselves, and even crazier that they are saved in your home directory. For the NFS example that I gave above, why should your browser cache be synchronized across the network? Why shouldn't your e-mail image cache be shared with your browser image cache? A more universal handling could be achieved with this filesystem as things like "all caches are on local filesystems" could be configured.

I'm still not entirely convinced that this is a "good idea", it definitely has some strong points. It is a departure from the traditional UNIX filesystem structure that we all know and love. Every time you're departing from a long held standard you need to make sure that it's an upgrade. In many ways, this restructuring is similar to the way Apple's filesystem is presented to the user. Only, in this scenario the rest of the filesystem simply wouldn't exist to any user applications.


posted Oct 4, 2007 | permanent link