From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dave Eckhardt Subject: Re: [9fans] killing processes To: 9fans@cse.psu.edu In-Reply-To: <5b58ed3b26b68a9a9751f6b79d306c10@orthanc.cc.titech.ac.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <16866.1126848614.1@piper.nectar.cs.cmu.edu> Date: Fri, 16 Sep 2005 01:30:15 -0400 Message-ID: <16867.1126848615@piper.nectar.cs.cmu.edu> Topicbox-Message-UUID: 8afc68c8-ead0-11e9-9d60-3106f5b1d025 > Split the authentication domain into two. > One for ordinary users in which "our CPU server" and > the file server (fossil processes) runs, and the other > in which the file server (the box itself) boots and runs. I remember reading about that. To be honest, I was wondering if there might be a simpler way, without having to run a second auth server. For example (and I haven't tried either): * arrange for the cpu/ncpu listener to run in a namespace where /bin/rc is mode 750, so only members of the designated group can run it * put a group-membership check in some "early" /bin/rc startup file Dave Eckhardt