From mboxrd@z Thu Jan  1 00:00:00 1970
Date: Fri, 14 Jul 2000 20:25:46 -0400
From: arisawa@ar.aichi-u.ac.jp
To: 9fans@cse.psu.edu
Message-ID: <20000714235707.287.qmail@nx.aichi-u.ac.jp>
Content-Type: text/plain
MIME-Version: 1.0 (NeXT Mail 3.3J v130.3)
Subject: Re: [9fans] allow
References: <200007141418.KAA00244@cse.psu.edu>
Topicbox-Message-UUID: de019000-eac8-11e9-9e20-41e7f4b1d025

Hello,

Rob Pike said:
>Better ideas (short of a superuser) are welcome.

and pip@stricca.org:
>Maybe the use of smart cards might be a solution.

I think it is an illusion that we can protect local file system
from someone who can touch keyboard of the machine.
Plan9 has a good solution for the terminals that are shared by
more than one person. That is, "it is best to purge local file  
systems."

On the other hand, There are terminals that are used and managed
by a single person. We need not worry about malicious operations
by the owner. I believe kfs is intended for this case.

UNIX "root" is a formal administrative account. The account worked
well until machines were very expensive. But now every one can have
machines that run UNIX; and then, inconvenience and insecureness are  
left for us.

Plan9 introduced "host owner" instead of "root". Both govern the  
machine. Therefore they are superusers.
I think problem with kfs is in that it does not make distinguish
between "host owner" and others.
"host owner" is, in fact, a special user in terminals and/or  
servers.
Therefore, I think some operations should be limited only to host  
owner.
For example, "disk/kfscmd allow" should allow only to host owner to
ignore access permission.

Kenji Arisawa
E-mail: arisawa@aichi-u.ac.jp