* [9fans] remove files in /srv
@ 2005-02-01 1:11 YAMANASHI Takeshi
2005-02-01 3:21 ` arisawa
2005-02-01 3:56 ` Russ Cox
0 siblings, 2 replies; 11+ messages in thread
From: YAMANASHI Takeshi @ 2005-02-01 1:11 UTC (permalink / raw)
To: 9fans
Hi,
Anyone can replace files in /srv. Bad things won't
happen if /srv/boot has been replaced by a malicious user?
Therefore, how about changing '#s' so that only file owner
or host owner can remove the file?
--
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] remove files in /srv
2005-02-01 1:11 [9fans] remove files in /srv YAMANASHI Takeshi
@ 2005-02-01 3:21 ` arisawa
2005-02-01 3:56 ` Russ Cox
1 sibling, 0 replies; 11+ messages in thread
From: arisawa @ 2005-02-01 3:21 UTC (permalink / raw)
To: 9fans
>Anyone can replace files in /srv. Bad things won't
>happen if /srv/boot has been replaced by a malicious user?
Try:
term% cd /srv
term% ls -ld /srv
d-r-xr-xr-x s 0 arisawa arisawa 0 Oct 26 20:44 /srv
term% ls -l
--rw-rw-rw- s 0 arisawa arisawa 0 Oct 26 20:44 boot
--rw-rw-rw- s 0 arisawa arisawa 0 Oct 26 20:44 cs
--rw-rw-rw- s 0 arisawa arisawa 0 Oct 26 20:44 dns
--rw------- s 0 arisawa arisawa 0 Oct 26 20:44 dos
--rw------- s 0 arisawa arisawa 0 Oct 26 20:44 f
--rw-rw-rw- s 0 arisawa arisawa 0 Oct 26 20:44 factotum
--rw-rw-rw- s 0 arisawa arisawa 0 Oct 26 20:44 fossil
--rw------- s 0 arisawa arisawa 0 Oct 26 20:44 fscons
--rw------- s 0 arisawa arisawa 0 Oct 26 20:44 nfsserver.chat
--rw------- s 0 arisawa arisawa 0 Oct 26 20:44 pc
--rw------- s 0 arisawa arisawa 0 Oct 26 20:44 plumb.arisawa.199
--rw------- s 0 arisawa arisawa 0 Oct 26 20:44 portmapper.chat
--rw------- s 0 arisawa arisawa 0 Oct 26 20:44 rio.arisawa.44
--rw------- s 0 arisawa arisawa 0 Oct 26 20:44 riowctl.arisawa.44
term% su alice
su# rm boot
rm: boot: permission denied
su# echo bla | /srv/boot
/srv/boot: permission denied
su# cp fossil boot
cp: can't create boot: srv file already exists
su#
Kenji Arisawa
.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] remove files in /srv
2005-02-01 1:11 [9fans] remove files in /srv YAMANASHI Takeshi
2005-02-01 3:21 ` arisawa
@ 2005-02-01 3:56 ` Russ Cox
1 sibling, 0 replies; 11+ messages in thread
From: Russ Cox @ 2005-02-01 3:56 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
> Anyone can replace files in /srv. Bad things won't
> happen if /srv/boot has been replaced by a malicious user?
#s/boot is explicitly unremovable.
> Therefore, how about changing '#s' so that only file owner
> or host owner can remove the file?
This won't work well. 9fs alice creates /srv/alice as the user
who runs it, but if the connection is lost and someone else
runs 9fs alice, then they need permission to remove it and
replace it.
It's not at all clear what the right answer is. The users have
to trust themselves in /srv.
Russ
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] remove files in /srv
@ 2005-02-01 3:48 YAMANASHI Takeshi
2005-02-01 4:06 ` arisawa
0 siblings, 1 reply; 11+ messages in thread
From: YAMANASHI Takeshi @ 2005-02-01 3:48 UTC (permalink / raw)
To: 9fans
On Tue Feb 1 12:21:37 JST 2005, arisawa@ar.aichi-u.ac.jp wrote:
> >Anyone can replace files in /srv. Bad things won't
> >happen if /srv/boot has been replaced by a malicious user?
:
> su# rm boot
> rm: boot: permission denied
oops. you can surely remove /srv/dns though.
what's the difference between boot and dns...?
I got it: #s is doing a special treatment for boot in
/sys/src/9/port/devsrv.c:/^srvremove .
if(strcmp(sp->name, "boot") == 0)
error(Eperm);
I'd rather have #s only removable by hostowner/file owner instead.
Would this change break something?
--
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] remove files in /srv
2005-02-01 3:48 YAMANASHI Takeshi
@ 2005-02-01 4:06 ` arisawa
2005-02-01 4:33 ` Russ Cox
0 siblings, 1 reply; 11+ messages in thread
From: arisawa @ 2005-02-01 4:06 UTC (permalink / raw)
To: 9fans
>oops. you can surely remove /srv/dns though.
>what's the difference between boot and dns...?
Permission bit of files in /srv/* is only formal, I think.
The meaning of the bit follows by the service program, not OS.
Service program can do anything what ever the bit is.
Kenji Arisawa
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] remove files in /srv
2005-02-01 4:06 ` arisawa
@ 2005-02-01 4:33 ` Russ Cox
2005-02-01 20:31 ` rog
0 siblings, 1 reply; 11+ messages in thread
From: Russ Cox @ 2005-02-01 4:33 UTC (permalink / raw)
To: Fans of the OS Plan 9 from Bell Labs
> Permission bit of files in /srv/* is only formal, I think.
> The meaning of the bit follows by the service program, not OS.
> Service program can do anything what ever the bit is.
That's not true -- the bits are checked when the file is opened.
The real solution is to put directories in /srv and have a common
directory and personal directories. But instead I made a smaller
change and tightened up what can be removed.
Russ
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] remove files in /srv
2005-02-01 4:33 ` Russ Cox
@ 2005-02-01 20:31 ` rog
2005-02-02 23:22 ` Bruce Ellis
0 siblings, 1 reply; 11+ messages in thread
From: rog @ 2005-02-01 20:31 UTC (permalink / raw)
To: 9fans
> The real solution is to put directories in /srv and have a common
> directory and personal directories. But instead I made a smaller
> change and tightened up what can be removed.
i've sometimes wondered whether it might be worth having the
capability to have a non-shared /srv; e.g. #snew gives a new, clean
instance of #s owned by the current user. it would be possible to
move services between old and new by opening a file in the old #s and
writing the fd to the new one. it would also be possible to access the
globally shared #s, but perhaps only the hostowner could post names
there.
that way, there's no clash of service names when people cpu in;
easier to implement than directories, too.
then again #s is also the source of lots of useful hacks.
just a thought.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [9fans] remove files in /srv
@ 2005-02-01 4:05 YAMANASHI Takeshi
2005-02-01 4:44 ` geoff
0 siblings, 1 reply; 11+ messages in thread
From: YAMANASHI Takeshi @ 2005-02-01 4:05 UTC (permalink / raw)
To: 9fans
> This won't work well. 9fs alice creates /srv/alice as the user
> who runs it, but if the connection is lost and someone else
> runs 9fs alice, then they need permission to remove it and
> replace it.
They can post a new connection under another name like
/srv/alice.username, can't they?
There are many other important services now in /srv to trust users.
I'm concerned for /srv/^(fossil fscons cs dns factotum) especially.
# boot is excluded because of the special treatment
--
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2005-02-02 23:57 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-02-01 1:11 [9fans] remove files in /srv YAMANASHI Takeshi
2005-02-01 3:21 ` arisawa
2005-02-01 3:56 ` Russ Cox
2005-02-01 3:48 YAMANASHI Takeshi
2005-02-01 4:06 ` arisawa
2005-02-01 4:33 ` Russ Cox
2005-02-01 20:31 ` rog
2005-02-02 23:22 ` Bruce Ellis
2005-02-02 23:57 ` Charles Forsyth
2005-02-01 4:05 YAMANASHI Takeshi
2005-02-01 4:44 ` geoff
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).