The idea

The Unix system needs to be able to categorise users into domains.

When I say "Domains", I don't mean DNS domains, but merely unique strings that identify a domain-set of users. This might include DNS domains, but it would not be limited to them.

This would mean that software that wished to authenticate users (such as MySQL), but didn't wish to create local users would have a mechanism for doing so. Then we wouldn't end up with 101 different authentication systems like we have now.

chroots

It might also be an idea to allow a chroot to be associated with each domain, so that each domain can have a sandbox in which their users may play.

setuid_with_authentication

While I'm here, I'd like to suggest that it might be a good idea to create a setuid_with_authentication system call, the idea being that if it gives the correct username/password/domain for a user, then it be setuid to that user.

This would be useful in that a web server could receive a username/password from a user, and then call this function. A user's permissions would then be in effect, and the web server could access the user's files, but not the files of other users.

Implementation suggestions

I would suggest that a file called /etc/domain be created. It could have the following fields:

• Domain name: This would be a string that specifies the domain name. It would allow the same set of characters as usernames do
• Domain ID: An ID number
• Domain Type: This identifies the type of domain. Examples include:
  • local: All local users should be placed in a domain of this type
  • mysql: If the MySQL developers so decided, they could place all their users in a domain of this type
• Root: This is the directory that will be chrooted to for the domain users.
• Configuration Directory: This would be specified relative to the root, and would say where configuration files such as passwd, group nsswitch, and the like would be stored.
• Other data: An unlimited number of other fields that depend on the Domain Type

Some examples might be:

 local:0:local:/:/etc
 mysql:1:mysql:/chroots/mysql:/etc
 example.com:2:web:/chroots/web/example.com:/etc

Any user belonging to some special group should be allowed to administer the group, creating users, changing passwords, and the like

As UIDs would only be unique to a domain, and not across domains, it would be necessary to record a domain ID with the User ID. So users not in /etc/passwd on the root system should not be allowed to write to any filesystem that does not support domains.

The problem with the idea is that it would require a whole new set of function calls, and then the existing function calls (ie. getent and the like) would have to be mapped onto the new calls. I still think it's a good idea, though.