From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <817ad07b21b28268fd0f8ab9341c6191@9fs.org>
To: 9fans@cse.psu.edu
From: nigel@9fs.org
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Subject: [9fans] possible way to have the secstore on the cpu server
Date: Fri, 14 Jun 2002 09:26:01 +0100
Topicbox-Message-UUID: ad11341c-eaca-11e9-9e20-41e7f4b1d025

It seems possible to store the secstore on the cpu server, without the
files being accessible to someone (other than bootes).

The attacker cannot open anything in '#'S as it is owned by bootes.  I
had assumed before that '#'S is generally readable, but it's only
group/user readable.  The service created by kfs is other r/w, so
obviously kfs would be a bad choice.  But, /srv/dos is accessible by
user only, so a small dos filesystem would appear to be unmountable by
anyone other than bootes.

The dossrv would have to be noswap and private, which given the amount
of memory it consumes might be the biggest impediment.

I realise that a separate auth server with no cpu service is
intrinsically more secure, but does the above have any fatal flaws?