From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dave Eckhardt To: 9fans@9fans.net In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <17527.1231309461.1@lunacy.ugrad.cs.cmu.edu> Date: Wed, 7 Jan 2009 01:24:21 -0500 Message-ID: <17528.1231309461@lunacy.ugrad.cs.cmu.edu> Subject: [9fans] RFNOMNT and/or "least privilege" Topicbox-Message-UUID: 7b62f428-ead4-11e9-9d60-3106f5b1d025 > RFNOMNT, like everything in Plan 9, was put in because > someone needed to use it, not as a purely academic > exercise in adding features. Here is something which either I've misunderstood or is harder than I'd like. I have a machine which runs two private (password-protected) web servers on different ports. It is not the case that everybody who can log in to the machine should be able to read the content offered by those two servers. The web server infrastructure seems pretty focused on running as user "none", which makes sense as far as it goes, but I don't want none to be able to read the files served by the web servers because anybody who can log in to the machine can become none. What I've worked out so far is this. At boot time, the host owner (who is a member of a group which can access the bits) builds an approprate namespace for each of the web servers. In each case the hostowner starts up a wikifs which can read and modify the privileged information but which posts a world-mountable service descriptor in /srv. Once each web server is launched in a namespace which has mounted the descriptor, the descriptor is deleted from /srv. If all this happens before listen is run, I think the result is two environments which are both running as none but have access to the bits they need, without leaking that access to everybody else who runs as none. What does this have to do with RFNOMNT? For one thing, while I thought about using RFNOMNT to limit the ability of the a hijacked web server or its children to get at the rest of the system, lots of people demand the ability to rearrange their namespaces, e.g., wikipost bails out if it can't mount onto /mnt/wiki. But overall I wish I had more ability to set up "least privilege" execution domains, meaning process trees with exactly the privileges they need but no more. Or am I doing it all wrong? Dave Eckhardt