* [9fans] https/factotum question
@ 2006-02-21 22:54 Dave Eckhardt
2006-02-21 23:00 ` Russ Cox
0 siblings, 1 reply; 3+ messages in thread
From: Dave Eckhardt @ 2006-02-21 22:54 UTC (permalink / raw)
To: 9fans
Feel free to correct me if I'm wrong, but I feel like
I want to set up a SSL web server in such a way that
only the web server itself can sign web pages.
But it looks to me as if the closest I can come at
present is for the factotum behind /srv/factotum to
contain the RSA key tagged with "owner=none", which I
think means that anybody who is "none", not just the
one web server process and its descendants, can sign
things.
I notice in httpd.c that some things are opened before
becomenone()... would it make sense to somehow latch
onto a "private" factotum at this point and then use
it after becomenone()?
Dave Eckhardt
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [9fans] https/factotum question
2006-02-21 22:54 [9fans] https/factotum question Dave Eckhardt
@ 2006-02-21 23:00 ` Russ Cox
2006-02-22 23:31 ` Dave Eckhardt
0 siblings, 1 reply; 3+ messages in thread
From: Russ Cox @ 2006-02-21 23:00 UTC (permalink / raw)
To: 9fans
> But it looks to me as if the closest I can come at
> present is for the factotum behind /srv/factotum to
> contain the RSA key tagged with "owner=none", which I
> think means that anybody who is "none", not just the
> one web server process and its descendants, can sign
> things.
true.
> I notice in httpd.c that some things are opened before
> becomenone()... would it make sense to somehow latch
> onto a "private" factotum at this point and then use
> it after becomenone()?
nope, can't do that. becomenone() is only useful if you
then reconstruct your name space from scratch, and that
means remounting factotum.
your only option is to open the fd for mounting the secret
factotum, then call becomenone(), then mount the fd,
which is still open but otherwise inaccessible to you.
the web server isn't signing pages, just that the connection
is to the right machine. we figure if you can talk to that factotum,
you're on the machine, so close enough. so we just run httpd
as none and let any process use the ssl certificate.
russ
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [9fans] https/factotum question
2006-02-21 23:00 ` Russ Cox
@ 2006-02-22 23:31 ` Dave Eckhardt
0 siblings, 0 replies; 3+ messages in thread
From: Dave Eckhardt @ 2006-02-22 23:31 UTC (permalink / raw)
To: 9fans
> your only option is to open the fd for mounting the secret
> factotum, then call becomenone(), then mount the fd, which
> is still open but otherwise inaccessible to you.
That is sort of what I meant. So I'd need a command line
flag which would open a service file descriptor (e.g.,
/srv/factotum but maybe something else) and then mount it
in the address space afterward.
I wonder how much of it I could do with a shell script
and a custom namespace file, i.e., open the service
descriptor as /fd/NN and then in the namespace file
mount /fd/NN as /mnt/factotum?
> the web server isn't signing pages, just that the connection
> is to the right machine.
One of the things I like about Plan 9 is that in theory sealed
name spaces should enable genuine "least privilege" protection
domains in a way that Unix can't do, and I'd kind of like to push
that envelope a bit.
Dave Eckhardt
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-02-22 23:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2006-02-21 22:54 [9fans] https/factotum question Dave Eckhardt
2006-02-21 23:00 ` Russ Cox
2006-02-22 23:31 ` Dave Eckhardt
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).