Rendered at 00:41:33 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
jancsika 8 hours ago [-]
Hijacking this post for my own selfish curiosity:
Since Linux has these built-in ttys, why wasn't login done like this:
1. put a bare-bones x11 instance on the "login" tty with the necessary graphical/DE crap for login prompt
2. if the user enters the correct credentials in the graphical crap, switch the user to another tty and spawn a new x11 instance there for their graphical user environment/DE
That way you could use the "login" tty for the login prompt, accessibility apps, screensaver, win-at-space-invaders-to-login, etc. Then if stuff crashes at any point during the login attempt it just falls back to an empty tty rather than a user session or whatever.
This has stayed the case with the transition to Wayland: pressing Ctrl + Alt + F1 shows me the login screen, and Ctrl + Alt + F2 takes me back to the desktop.
stronglikedan 6 hours ago [-]
> 'superuser', likely the source of the 'su' command name
Hmmm, interesting. I always figured it stood for (s)witch (u)ser, but didn't know that "at the time it was only used to let you become root".
pitched 12 hours ago [-]
The site is returning Forbidden for me and they seem to have also blocked archive.* sites. A bit of a mean thing for a public university to do.
embedding-shape 12 hours ago [-]
Is the entire utcc.utoronto.ca return 403 or just utcc.utoronto.ca/~cks? Maybe it's no longer common knowledge, but the ~string part typically means it's hosted in a way so individual unix users can somewhat control their own environments, sometimes with .htaccess files or other things, and adjust the responses from the web-servers somewhat.
Anyways, the point being that it might not be the university doing it, but an individual user. I guess the former would be kind of shitty, but the latter is maybe ok as individuals should be able to chose freely?
FWIW, both the domain at large + this specific URL seems to work fine for me in Spain.
extraduder_ire 7 hours ago [-]
The "server" header says it's apache, so there could be a .htaccess file in that directory with the rules for that.
Trying to load any url under ~/cks/ starting with .ht gives a generic "Forbidden" response, and other urls like .foo give a "Not Found" error.
pitched 12 hours ago [-]
You got it, it’s just ~cks not letting me in. The University itself is still good.
> [...] An open Internet is a great thing, and it would be nice to have one. But it is now less and less compatible with running systems that are useful to their users. I hate firewalling off large chunks of the net from our mailer, but I would hurt even more from our users fleeing email because of spam. And so I firewall. [...]
pitched 2 hours ago [-]
I am getting Forbidden when connecting from a cheap (but Canadian!) VPN but allowed through with a pricier one. So it isn’t geo-based blocking, probably more like a per-IP request limit.
Archive Today presently does not, and I'm getting hung up on Captcha tests trying to submit a bug report. Present broken archive: <https://archive.is/Nv9Ik>. If someone else could submit a "Bad Grab" report I'd appreciate it.
Edit: Re-reading the archived error page: ~cks specifically blocks Archive.Today, which is unfortunate.
(In general, check popular archive tools, such as the Internet Archive (above) or Archive Today, and post a working link rather than griping about individual site access issues.)
em-bee 1 hours ago [-]
~cks specifically blocks Archive.Today, which is unfortunate.
archive.today has been found to use their pages to run DDOS against someone they didn't like:
Same here, my web browser shows as coming from 'Big Giant Firewall Company'....
amelius 11 hours ago [-]
You have to use "su" :)
lanycrost 9 hours ago [-]
Always like to read history of operating systems and it's evaluation. As expected *BSD still following the standards unlike the linux :D
> As you might expect, all of the modern versions of su across Linux and the free BSDs support starting a login shell (cf the normal Linux su (also), FreeBSD su(1), NetBSD su(1), and OpenBSD su(1)). On Linux and OpenBSD, login isn't setuid root and so can't be used from a regular shell environment to become a new user; your only option is su. On FreeBSD and NetBSD,
Joker_vD 5 hours ago [-]
Uh, what standards, exactly? Neither login nor su are part of POSIX.
JdeBP 10 hours ago [-]
One interesting idea, never realized that I know of, was for Hurd. The idea was that 'login' would be a simple utility program. One started a session with no user credentials, and ran 'login' as a command to add credentials to already running processes.
This was not at all how Unices worked, of course, which is likely why it never happened. On Unices it would have needed some sort of shared process credentials structure that could be augmented in place by a privileged process. On the Hurd, it would have required an extra method implemented by the auth server.
On my machines, login is not run any more. It's just a PAM client that provides a very dumb paper-compatible cooked mode terminal user interface, after all. I thought for a long time about writing a PAM client that had a better full screen TUI interface that assumed (gasp!) video terminals. So eventually I did just that.
> To log in, input login root, then use gnuhurdrox as the password
(Emphasis mine)
Joker_vD 9 hours ago [-]
> One started a session with no user credentials
And what would the effective permissions be? The access to any file would be done according to the "other" permissions bits or?.. Because if yes, then that'd be an interesting way to escape user-based quotas, you know.
JdeBP 8 hours ago [-]
I don't know. This was a very early description of how it would work that I read, a long time ago.
Thinking it through as a thought experiment, the way that I'd do it, a process with no credentials would not be able to open anything for write access and only a limited number of things for execute access, and be limited to a minimal amount of read access. One does not have to follow the POSIX model when one is introducing something so definitely outside of it as a process with no user/group IDs (perfectly fine as far as raw Hurd is concerned).
There was precedent for such ideas. On Novell Netware, MS/PC/DR-DOS clients could access only one server directory, containing the LOGIN program, until they had logged their machine on.
Joker_vD 5 hours ago [-]
Okay, so basically something like Windows's "Anonymous Logon" SID, which doesn't belong to the Authenticated Users group: it's the group that's normally associated with the default Write permissions; the Users group has only read-only access.
JdeBP 3 hours ago [-]
That sort of idea, yes.
I've just done some research and it looks like the Debin Hurd people did attempt to actually implement this. I just never heard about it. There was a 'login shell' and a 'nouser'. The latter had am empty set of IDs, and this case (optionally) switched to an extra set of rwx permission bits that existed specifically for determining 'nouser' access.
It would be very interesting if you could accumulate privileges by stacking logins. So `login a; login b` gave you both a and b privileges. `logout a` would drop a's privileges but keep b's.
JdeBP 3 hours ago [-]
Yes, and under the covers some parts of Windows NT, notably server processes, do something akin to this; although its interactive login on a windowstation system follows the Unix model of the TCB doing the login dialogue and then spawning a user process running as the logged-in user.
Since Linux has these built-in ttys, why wasn't login done like this:
1. put a bare-bones x11 instance on the "login" tty with the necessary graphical/DE crap for login prompt
2. if the user enters the correct credentials in the graphical crap, switch the user to another tty and spawn a new x11 instance there for their graphical user environment/DE
That way you could use the "login" tty for the login prompt, accessibility apps, screensaver, win-at-space-invaders-to-login, etc. Then if stuff crashes at any point during the login attempt it just falls back to an empty tty rather than a user session or whatever.
This has stayed the case with the transition to Wayland: pressing Ctrl + Alt + F1 shows me the login screen, and Ctrl + Alt + F2 takes me back to the desktop.
Hmmm, interesting. I always figured it stood for (s)witch (u)ser, but didn't know that "at the time it was only used to let you become root".
Anyways, the point being that it might not be the university doing it, but an individual user. I guess the former would be kind of shitty, but the latter is maybe ok as individuals should be able to chose freely?
FWIW, both the domain at large + this specific URL seems to work fine for me in Spain.
Trying to load any url under ~/cks/ starting with .ht gives a generic "Forbidden" response, and other urls like .foo give a "Not Found" error.
> [...] An open Internet is a great thing, and it would be nice to have one. But it is now less and less compatible with running systems that are useful to their users. I hate firewalling off large chunks of the net from our mailer, but I would hurt even more from our users fleeing email because of spam. And so I firewall. [...]
Archive Today presently does not, and I'm getting hung up on Captcha tests trying to submit a bug report. Present broken archive: <https://archive.is/Nv9Ik>. If someone else could submit a "Bad Grab" report I'd appreciate it.
Edit: Re-reading the archived error page: ~cks specifically blocks Archive.Today, which is unfortunate.
(In general, check popular archive tools, such as the Internet Archive (above) or Archive Today, and post a working link rather than griping about individual site access issues.)
archive.today has been found to use their pages to run DDOS against someone they didn't like:
https://news.ycombinator.com/item?id=47092006
(Greetngs from germany)
> As you might expect, all of the modern versions of su across Linux and the free BSDs support starting a login shell (cf the normal Linux su (also), FreeBSD su(1), NetBSD su(1), and OpenBSD su(1)). On Linux and OpenBSD, login isn't setuid root and so can't be used from a regular shell environment to become a new user; your only option is su. On FreeBSD and NetBSD,
This was not at all how Unices worked, of course, which is likely why it never happened. On Unices it would have needed some sort of shared process credentials structure that could be augmented in place by a privileged process. On the Hurd, it would have required an extra method implemented by the auth server.
On my machines, login is not run any more. It's just a PAM client that provides a very dumb paper-compatible cooked mode terminal user interface, after all. I thought for a long time about writing a PAM client that had a better full screen TUI interface that assumed (gasp!) video terminals. So eventually I did just that.
https://www.gentoo.org/news/2026/04/01/gentoo-hurd.html
> To log in, input login root, then use gnuhurdrox as the password
(Emphasis mine)
And what would the effective permissions be? The access to any file would be done according to the "other" permissions bits or?.. Because if yes, then that'd be an interesting way to escape user-based quotas, you know.
Thinking it through as a thought experiment, the way that I'd do it, a process with no credentials would not be able to open anything for write access and only a limited number of things for execute access, and be limited to a minimal amount of read access. One does not have to follow the POSIX model when one is introducing something so definitely outside of it as a process with no user/group IDs (perfectly fine as far as raw Hurd is concerned).
There was precedent for such ideas. On Novell Netware, MS/PC/DR-DOS clients could access only one server directory, containing the LOGIN program, until they had logged their machine on.
I've just done some research and it looks like the Debin Hurd people did attempt to actually implement this. I just never heard about it. There was a 'login shell' and a 'nouser'. The latter had am empty set of IDs, and this case (optionally) switched to an extra set of rwx permission bits that existed specifically for determining 'nouser' access.
* https://groups.google.com/g/linux.debian.ports.hurd/c/2rCbPl...