From mboxrd@z Thu Jan 1 00:00:00 1970 To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> In-reply-to: Your message of "Thu, 16 Apr 2009 21:25:06 EDT." <9ab217670904161825k467a8a4ew31689b207f6ab984@mail.gmail.com> References: <9ab217670904161636p62f77a18ufe0c14ac6245f078@mail.gmail.com> <3535ae9780efe698b30d5c4bf8f5b5b7@quanstro.net> <9ab217670904161825k467a8a4ew31689b207f6ab984@mail.gmail.com> From: Bakul Shah Date: Thu, 16 Apr 2009 19:07:31 -0700 Message-Id: <20090417020731.A822E5B1B@mail.bitblocks.com> Subject: Re: [9fans] security questions Topicbox-Message-UUID: df511e56-ead4-11e9-9d60-3106f5b1d025 On Thu, 16 Apr 2009 21:25:06 EDT "Devon H. O'Dell" wrote: > That said, I don't disagree. Perhaps Plan 9's environment hasn't been > assumed to contain malicious users. Which brings up the question: Can > Plan 9 be safely run in a potentially malicious environment? Based on > this argument, no, it cannot. Since I want to run Plan 9 in this sort > of environment (and thus move away from that assumption), I want to > address these problems, and I kind of feel like it's weird to be > essentially told, ``Don't do that.'' Why not give each user a virtual plan9? Not like vmware/qemu but more like FreeBSD's jail(8), "done more elegantly"[TM]! To deal with potentially malicious users you can virtualize resources, backed by limited/configurable real resources. The other thought that comes to mind is to consider something like class based queuing (from the networking world). That is, allow choice of different allocation/scheduling/resource use policies and allow further subdivision. Then you can give preferential treatment to known good guys. Other users can still experiment to their heart's content within the resources allowed them. My point being think of a consistent high level model that you like and then worry about implementation details.