From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <3f42b157890205fce44e38e690ef7043@plan9.bell-labs.com> From: David Presotto To: 9fans@cse.psu.edu Subject: Re: [9fans] If hostid==uid, then /lib/ndb/auth is not checked. In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="upas-zgbvsbvtyjmkbhtiqsxniwgtyy" Date: Fri, 12 Mar 2004 07:38:20 -0500 Topicbox-Message-UUID: 2cc640b0-eacd-11e9-9e20-41e7f4b1d025 This is a multi-part message in MIME format. --upas-zgbvsbvtyjmkbhtiqsxniwgtyy Content-Disposition: inline Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit You got it. The speaksfor relationship is used to allow a user that has cpu'ld (or ssh'd or telnet'd...) into a cpu server to access resources off of that cpu server. Assume you've telnet'd in but the file server is on another machine. In order to have any files at all to continue, your process (via the factotum on the cpu server) must authenticate to the file server. However the only keys in that factotum are those of the cpu server's owner. Therefore, that owner must be able to 'speak for' you to the file server. It does that by getting a ticket from the auth server, encrypted in the file server owner's key, that identifies the caller as you. Keeping people out of a machine is another problem altogether. In our world, having a key in a host's domain is equivalent to having access to the host. The way we lock people out of a host is to not give them a key into its domain. We run a number of authentication domains at the Labs for that reason. This was a lack of forsight on my part. Putting a system in a separate auth domain can be a pain for all the users involved. Some flavor of ACL would be nicer; i.e. the ability to say, user Alice can only do the following things on host X. We already have something like that in the form of /lib/ndb/consoledb. Perhaps we could do something similar on a per service basis, i.e., a servicesdb that each service (or listen itself) can consult to determine yay or nay for the service. For example, you could make /lib/ndb/common: tcp=cpu port=17013 uid=!presotto uid=* That way, stand alone servers could control who cold use its services. I'm not sold yet on the form it should take, but I think it is necessary. --upas-zgbvsbvtyjmkbhtiqsxniwgtyy Content-Type: message/rfc822 Content-Disposition: inline Received: from plan9.cs.bell-labs.com ([135.104.9.2]) by plan9; Fri Mar 12 00:48:39 EST 2004 Received: from mail.cse.psu.edu ([130.203.4.6]) by plan9; Fri Mar 12 00:48:36 EST 2004 Received: by mail.cse.psu.edu (CSE Mail Server, from userid 60001) id 4F4D219B1B; Fri, 12 Mar 2004 00:48:24 -0500 (EST) Received: from psuvax1.cse.psu.edu (psuvax1.cse.psu.edu [130.203.4.6]) by mail.cse.psu.edu (CSE Mail Server) with ESMTP id 73FED19CE7; Fri, 12 Mar 2004 00:48:18 -0500 (EST) X-Original-To: 9fans@cse.psu.edu Delivered-To: 9fans@cse.psu.edu Received: by mail.cse.psu.edu (CSE Mail Server, from userid 60001) id 8938719BD2; Fri, 12 Mar 2004 00:47:24 -0500 (EST) Received: from mx2.net.titech.ac.jp (mx2.net.titech.ac.jp [131.112.125.31]) by mail.cse.psu.edu (CSE Mail Server) with SMTP id 658AA19CC9 for <9fans@cse.psu.edu>; Fri, 12 Mar 2004 00:47:22 -0500 (EST) Received: (qmail 24687 invoked from network); 12 Mar 2004 05:47:20 -0000 Received: from unknown (HELO vc2.net.titech.ac.jp) (131.112.125.36) by mx2.net.titech.ac.jp with SMTP; 12 Mar 2004 05:47:20 -0000 Received: from unknown (HELO o.cc.titech.ac.jp) (127.0.0.1) by localhost with SMTP; 12 Mar 2004 05:47:20 -0000 Received: from valinore by mail-o.cc.titech.ac.jp (8.11.3/1.1.10.5/20Feb97-0455PM) id i2C5lK8185667; Fri, 12 Mar 2004 14:47:20 +0900 (JST) Message-ID: To: 9fans@cse.psu.edu Subject: Re: [9fans] If hostid==uid, then /lib/ndb/auth is not checked. From: YAMANASHI Takeshi MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Sender: 9fans-admin@cse.psu.edu Errors-To: 9fans-admin@cse.psu.edu X-BeenThere: 9fans@cse.psu.edu X-Mailman-Version: 2.0.11 Precedence: bulk Reply-To: 9fans@cse.psu.edu List-Id: Fans of the OS Plan 9 from Bell Labs <9fans.cse.psu.edu> List-Archive: Date: Fri, 12 Mar 2004 14:47:14 +0900 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on psuvax1.cse.psu.edu X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 X-Spam-Level: On Fri Mar 12 14:32:41 JST 2004, lucio@proxima.alt.za wrote: > Well, /lib/ndb/auth indicates the speaksfor relationship. Surely uid > X can be assumed to speakfor uid X? Then, every users in a domain can start their processes on arbitary cpu servers whose host owners aren't allowed to speak for the user? Is this the way that the speaksfor relationship works? I thought the relationship can be used to restrict which users are allowed to run their process on cpu servers. I am still confused with the relationship... :) -- --upas-zgbvsbvtyjmkbhtiqsxniwgtyy--