From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <65229dac63ad48dcc92e60c777353f82@plan9.bell-labs.com> From: presotto@closedmind.org To: 9fans@cse.psu.edu Subject: Re: [9fans] CGI MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="upas-fuvfpkvmumiyyeqdkchndyhddy" Date: Tue, 12 Feb 2002 22:20:50 -0500 Topicbox-Message-UUID: 501a8fd8-eaca-11e9-9e20-41e7f4b1d025 This is a multi-part message in MIME format. --upas-fuvfpkvmumiyyeqdkchndyhddy Content-Disposition: inline Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit In general, I agree with russ. The best way to do it would be to not have to run as alice or to run the httpd as alice. The latter requires changing it to avoid the 'becomenone' routine and have alice start it herself. You could run arbitrarily many httpd's just by using the -a option and specifying a different port to listen for each, e.g. -a tcp!*!8000. ------ As rsc pointed out, you can take a hint from our mail system. Smtpd runs as none but can deliver mail into anyones mail file. The files are protected alrw--w--w-, i.e., append only, exclusive access and writeable by anyone. I have a lock file in addition to the mbox. The lock file, is protected alrw-rw-rw-. When I want to do anything to the mail box, I: /* try to set the lock */ for(tries=0; tries < Maxtries && (lock=open(L.mbox))<0; tries++) sleep(some time); if(lock < 0) fatal("getting lock"); /* affect/read mail box */ ... /* unlock */ close(lock); I still leave the 'l' bit on the mailbox to catch any stupid accidents. You could do something similar, except you'ld probably want to make your alice file alrw-rw-rw-. That's what I did with mail anyways... ------ You could also go nuts and run a server as alice and have one of the httpd magic files pass requests to it. I think this is overkill but doable. Rsc's idea of a alicefs is just a special case of this. The problem here though is getting the server's running as alice every reboot. You'ld probably need cron to start if for you if it wasn't already started. --upas-fuvfpkvmumiyyeqdkchndyhddy Content-Type: message/rfc822 Content-Disposition: inline Received: from plan9.cs.bell-labs.com ([135.104.9.2]) by plan9; Tue Feb 12 20:11:46 EST 2002 Received: from mail.cse.psu.edu ([130.203.4.6]) by plan9; Tue Feb 12 20:11:44 EST 2002 Received: from psuvax1.cse.psu.edu (psuvax1.cse.psu.edu [130.203.18.6]) by mail.cse.psu.edu (CSE Mail Server) with ESMTP id 30B2319A60; Tue, 12 Feb 2002 20:11:29 -0500 (EST) Delivered-To: 9fans@cse.psu.edu Received: from ar.aichi-u.ac.jp (ar.aichi-u.ac.jp [202.250.160.40]) by mail.cse.psu.edu (CSE Mail Server) with SMTP id C8B4919A00 for <9fans@cse.psu.edu>; Tue, 12 Feb 2002 20:09:25 -0500 (EST) Content-Type: text/plain MIME-Version: 1.0 (NeXT Mail 3.3ciscupdate v148.2.1) From: arisawa@ar.aichi-u.ac.jp To: 9fans@nx.aichi-u.ac.jp Message-Id: <20020213010925.C8B4919A00@mail.cse.psu.edu> Subject: [9fans] CGI Sender: 9fans-admin@cse.psu.edu Errors-To: 9fans-admin@cse.psu.edu X-BeenThere: 9fans@cse.psu.edu X-Mailman-Version: 2.0.8 Precedence: bulk Reply-To: 9fans@cse.psu.edu X-Reply-To: arisawa@aichi-u.ac.jp List-Help: List-Id: Fans of the OS Plan 9 from Bell Labs <9fans.cse.psu.edu> List-Archive: Date: Wed, 13 Feb 2002 09:05:34 +0900 Hello 9fans, Now I am considering about CGI environment of Web server. Let A be a CGI program that is owned by user alice, and assume the program needs to read from file B that must be protected to the accesses from other users. That is, the permission mode is required to be, -r--r----- 16 alice alice .... B Then how can we design Web server on Plan9? In case of UNIX, this problem may be solved using SETUID, or more safely solved using CGI wrapper. Plan9 does not have such an easy way for `none' to become `alice'. Authentication must be required. Public key cryptography may be applied. Let the Web server start with server mode, then httpd can read secret key that is in a file owned by bootes with 400 permission. User alice encrypts her password using public key and puts it somewhere. In executing A, httpd decrypt her key and then become `alice'. I am afraid this scheem gives too much right to httpd. We need only a given CGI can read a given file. Do you have oher solutions? Kenji Arisawa E-mail: arisawa@aichi-u.ac.jp --upas-fuvfpkvmumiyyeqdkchndyhddy--