Re: [9fans] Novice question - run as other

Re: [9fans] Novice question - run as other

[David Presotto]

[-- Attachment #1: Type: text/plain, Size: 102 bytes --]

It worked, I believe you just didn't notice.  The echo process became
none and then immediately died.

[-- Attachment #2: Type: message/rfc822, Size: 2997 bytes --]

From: David Tolpin <dvd@davidashen.net>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] Novice question - run as other
Date: Wed, 17 Mar 2004 12:54:46 +0400 (AMT)
Message-ID: <200403170854.i2H8sk2J083766@adat.davidashen.net>

> >> > a program from a shell script and change the user it runs as.
> >>
> >> The security model doesn't allow this. Perhaps by running it as a service
> >> on a cpu.  Check /sys/src/cmd/auth/cron.c and cap(3).  For somethings
> >> you can cpu over and change to a different uid:
> > 
> > The following works:
> ...
> > 	fd>=0 && (write(fd,"none",strlen("none"))!=-1)
>
> That's not what you asked.
>

? Is none not user?

cpu% grep none /adm/users
0:none:adm

cpu% none
cat /env/user
none

I want a program to run as a different user. From C, it means opening
'#c/user' and writing the user's name there. The security model is
a separate issue, the call either succeeds or fails, 
but it is a consequence of security limitations, and not of the API.

My question was how to do the same from rc. 

@{echo -n none > '#c/user' ; while() {sleep 1} }

succeeds but does not change the owner of the process. Why?

Dav id

Re: [9fans] Novice question - run as other

[ron minnich]

>My question was how to do the same from rc. 

>@{echo -n none > '#c/user' ; while() {sleep 1} }

>succeeds but does not change the owner of the process. Why?

well, seems it would be bad if all you had to do to change userid was 
echo into '#c/user'

So, starting from that, the why should be apparent.

ron

Re: [9fans] Novice question - run as other

[David Presotto]

[-- Attachment #1: Type: text/plain, Size: 135 bytes --]

If all you wanted to do was change the user id, that
would be true.  However, without running newns() it's
kind of useless/dangerous.

[-- Attachment #2: Type: message/rfc822, Size: 1935 bytes --]

From: rog@vitanuova.com
To: 9fans@cse.psu.edu
Subject: Re: [9fans] Novice question - run as other
Date: Wed, 17 Mar 2004 17:13:58 0000
Message-ID: <0e0cb432b6b2920c12c7b9bde24f0e27@vitanuova.com>

> well, seems it would be bad if all you had to do to change userid was 
> echo into '#c/user'

but if echo was built in to the shell (as it is in some other systems)
that's all you *would* have to do!

Re: [9fans] Novice question - run as other

[rog]

> well, seems it would be bad if all you had to do to change userid was 
> echo into '#c/user'

but if echo was built in to the shell (as it is in some other systems)
that's all you *would* have to do!

Re: [9fans] Novice question - run as other

[David Tolpin]

>
> >@{echo -n none > '#c/user' ; while() {sleep 1} }
>
> >succeeds but does not change the owner of the process. Why?
>
> well, seems it would be bad if all you had to do to change userid was 
> echo into '#c/user'
>
> So, starting from that, the why should be apparent.

The 'Why' was about a different issue.

The question was why the C program behaves differently than
the shell script.  The C program just writes to #c/user to
change the owner of the process.

The answer is that writing to #c/user is special
in the sense that although it is a part of namespace, it changes
the state of the process space, which is only apparent if you look
into the kernel source.

A more general conclusion is that for tasks where writing to
or reading from files reflects or affects process space, and not
name space, rc is not suitable and C code must be written.

I am now into the sources to understand which files in the namespace
are actually not in it, but in the process space.

David Tolpin
http://davidashen.net/

Re: [9fans] Novice question - run as other

[ron minnich]

On Wed, 17 Mar 2004, David Tolpin wrote:

> The question was why the C program behaves differently than
> the shell script.  The C program just writes to #c/user to
> change the owner of the process.

oops, sorry, missed it. Ignore me :-)

ron

Re: [9fans] Novice question - run as other

[David Presotto]

[-- Attachment #1: Type: text/plain, Size: 1068 bytes --]

You're confusing name space and semantics.  It is indeed in the name space
but the semantics of writing it is to change the state of the writer not
everyone who can see the name space.  Processes owned by different
users can all share objects in the same name space.  However reading or
writing those objects can have different permissions and results for
the different processes.

If I where to unbind /dev, all processes in that name space
would see that object disappear.

The discontinuity/incongruity in Plan 9 is what an object can see
about the process using it.  Kernel objects (things implemented with #x
for any x) can see the process and can adjust their behavior
on its immediate state (this is especially true of #p).  However
anything that goes through 9P only sees the user's state by way of
the messages sent to it.  It can't tell anything about the particular
process performing an action and can thus only adjust its semantics
according to the user who actually bound the object into its
name space (this action turns to an attach).

[-- Attachment #2: Type: message/rfc822, Size: 3102 bytes --]

From: David Tolpin <dvd@davidashen.net>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] Novice question - run as other
Date: Wed, 17 Mar 2004 22:00:45 +0400 (AMT)
Message-ID: <200403171800.i2HI0jtq086906@adat.davidashen.net>

>
> >@{echo -n none > '#c/user' ; while() {sleep 1} }
>
> >succeeds but does not change the owner of the process. Why?
>
> well, seems it would be bad if all you had to do to change userid was 
> echo into '#c/user'
>
> So, starting from that, the why should be apparent.

The 'Why' was about a different issue.

The question was why the C program behaves differently than
the shell script.  The C program just writes to #c/user to
change the owner of the process.

The answer is that writing to #c/user is special
in the sense that although it is a part of namespace, it changes
the state of the process space, which is only apparent if you look
into the kernel source.

A more general conclusion is that for tasks where writing to
or reading from files reflects or affects process space, and not
name space, rc is not suitable and C code must be written.

I am now into the sources to understand which files in the namespace
are actually not in it, but in the process space.

David Tolpin
http://davidashen.net/

Re: [9fans] Novice question - run as other

[rog]

> A more general conclusion is that for tasks where writing to
> or reading from files reflects or affects process space, and not
> name space, rc is not suitable and C code must be written.

that's not necessarily the case - only for something that changes
something in the writing process that isn't inherited by child
processes.

quite a few devices use this hack, often for efficiency reasons.

ones i'm aware of include (aspects of) srv(3), ssl(3), tls(3), ip(3),
cap(3), fs(3), dup(3) and cons(3)

[9fans] unsuscribe

[Jose timofonic]

unsuscribe

___________________________________________________
Yahoo! Messenger - Nueva versión GRATIS
Super Webcam, voz, caritas animadas, y más...
http://messenger.yahoo.es

Re: [9fans] Novice question - run as other

[Russ Cox]

rog@vitanuova.com wrote:

>quite a few devices use this hack, often for efficiency reasons.
>
>ones i'm aware of include (aspects of) srv(3), ssl(3), tls(3), ip(3),
>cap(3), fs(3), dup(3) and cons(3)
>  
>

ip(3) ?

russ

Re: [9fans] Novice question - run as other

[rog]

> ip(3) ?

bind ether path

Re: [9fans] Novice question - run as other

[Martin C.Atkins]

On Wed, 17 Mar 2004 22:00:45 +0400 (AMT) David Tolpin <dvd@davidashen.net> wrote:
> A more general conclusion is that for tasks where writing to
> or reading from files reflects or affects process space, and not
> name space, rc is not suitable and C code must be written.

Is it the process that writes to the device that gets altered,
or the process that opens the device?

I suspect the former, but why is it not the second? If it was the second,
then rc could probably be used, but what else wouldn't work, or would break?

Was the choice one of expediency, or is there a real semantic advantage
to the first choice?

Martin

-- 
Martin C. Atkins			martin@parvat.com
Parvat Infotech Private Limited		http://www.parvat.com{/,/martin}

Re: [9fans] Novice question - run as other

[boyd, rounin]

> 1.  Anything you need to say to me you can say on 9fans.  Helps keep
> the story straight.

i'm with you, captain ...

Re: [9fans] Novice question - run as other

[plan9fans]

Hi,

My all-time favorite Unix story, lifted from
http://cm.bell-labs.com/cm/cs/who/dmr/hist.html

Although the multiple-process idea slipped in very easily indeed,
there were some aftereffects that weren't anticipated.  The most
memorable of these became evident soon after the new system came up
and apparently worked.  In the midst of our jubilation, it was
discovered that the chdir (change current directory) command had
stopped working.  There was much reading of code and anxious
introspection about how the addition of fork could have broken the
chdir call.  Finally the truth dawned: in the old system chdir was an
ordinary command; it adjusted the current directory of the (unique)
process attached to the terminal.  Under the new system, the chdir
command correctly changed the current directory of the process created
to execute it, but this process promptly terminated and had no effect
whatsoever on its parent shell!  It was necessary to make chdir a
special command, executed internally within the shell.  It turns out
that several command-like functions have the same property, for
example login.


-Steve

Re: [9fans] Novice question - run as other

[9nut]

In a private email to me, David Tolpin said:

>> You said:
>> >> >> > a program from a shell script and change the user it runs as.
>> and later
>> > ? Is none not user?
>>
>> Are you trying to solve a real problem or win an argument?
>>
> 
> I was trying to understand why #c/user does not obey the rules
> of namespaces. But I didn't know that I was trying to do that,
> what I did is that I could do an obvious thing with rc,
> and was asking for help. And Charles Forsyth explained the issue
> without resorting to offensive rants.
> 
> The art of listening to others is not yet well-developed on
> 9fans.
> 
> David

A couple of things: 

1.  Anything you need to say to me you can say on 9fans.  Helps keep
the story straight.

2. Are you saying that you did not ask:
	a. "Novice question - run as other" (from the subject line)
	b. "... from a shell script and change the user it runs as." (from your message)

If your question was truely about changing to "none" and not some
arbitrary user, then why not say "... - run as none", or "...  from a shell
script and change the user it runs as, to none".

you seem like a smart guy, and i would have no reason to think what you
asked is related to anything other than what you asked about.

Re: [9fans] Novice question - run as other

[Dave Lukes]

> > I had been reserving judgement on whether or not you (David Tolpin)
> > really are the ungrateful punk that you appeared to be in all your
> > other interactions on 9fans.  I have now concluded that you are.
> 
> made that choice about a week ago.  i'm with you, captain.

Metoo ... BUT ....

It ain't his fault: "I blame the system".

Now I don't want to get too mystical here but ...

I've been doing a lot of thinking recently, not just about plan9,
but also about life, the universe, me etc.,
and I realised the fundamental truth of the following:
        "We didn't want to lose the pleasant niche we occupied. What we
        wanted to preserve was just not a good environment in which to
        do programming, but a system around which a fellowship could
        form."
http://www.bell-labs.com/about/history/unix/somethingelse.html

To me, the last phrase is key: "fellowship".

People in general are far too used to paying software vendors to
spoonfeed them garbage.
To benefit from plan9 you have to understand and go with the flow
of its fundamental nature.

This is _not_ a product.

You are *not* entitled to
* pretty manuals,
* 0-800 support lines,
* annual upgrades
* virus scanners
* butt-kissing: if you're stupid, someone will tell you.

This is a community of people with a common interest.

You *are* entitled to:
* realise that you are part of something bigger than all of us
* work hard trying to understand it
* not piss the giants off by whining and shuffling from one foot
  to the other while you are standing on their shoulders
* sweat blood and carry boulders trying to make it better
* the wonderful feeling you get when something JUST WORKS.

If you can't get over this initial conceptual hump,
then fuck off back to CrapOS and leave us alone.

Dave out.

Re: [9fans] Novice question - run as other

[boyd, rounin]

> I had been reserving judgement on whether or not you (David Tolpin)
> really are the ungrateful punk that you appeared to be in all your
> other interactions on 9fans.  I have now concluded that you are.

made that choice about a week ago.  i'm with you, captain.

Re: [9fans] Novice question - run as other

[9nut]

You said:
>> >> > a program from a shell script and change the user it runs as.
and later
> ? Is none not user?

Are you trying to solve a real problem or win an argument?

Re: [9fans] Novice question - run as other

[9nut]

>> > a program from a shell script and change the user it runs as.
>>
>> The security model doesn't allow this. Perhaps by running it as a service
>> on a cpu.  Check /sys/src/cmd/auth/cron.c and cap(3).  For somethings
>> you can cpu over and change to a different uid:
> 
> The following works:
...
> 	fd>=0 && (write(fd,"none",strlen("none"))!=-1)

That's not what you asked.

Re: [9fans] Novice question - run as other

[David Tolpin]

> >>would mean I would modify rc's #c/user. I don't understand something
> >>basic.
>
> sorry, i ought to have added that #c/user changes per-process data,

> 	kstrdup(&up->user, "none");	/* note use of up-> */

Oh, many thanks. I said it was a novice question.

Re: [9fans] Novice question - run as other

[Bruce Ellis]

it's funny that an astute colleague suggested that last week.
go out in the sun, mate!

geoff is not bad judge ...

brucee
----- Original Message ----- 
From: "Geoff Collyer" <geoff@collyer.net>
To: <9fans@cse.psu.edu>
Sent: Wednesday, March 17, 2004 7:55 PM
Subject: Re: [9fans] Novice question - run as other


> Regrettably auth/none is undocumented.  This sometimes happens.  You
> do however have the sources and grep, and /sys/src/cmd/auth would have
> been an obvious place to look.
> 
> I had been reserving judgement on whether or not you (David Tolpin)
> really are the ungrateful punk that you appeared to be in all your
> other interactions on 9fans.  I have now concluded that you are.  Many
> of us have tried to help you, most of us civilly, and you've responded
> like a spoiled snot-nosed kid who thinks he's entitled to answers and
> that we have some obligation to provide them.  So I'm now deleting
> your messages on contact.

Re: [9fans] Novice question - run as other

[Charles Forsyth]

>>would mean I would modify rc's #c/user. I don't understand something
>>basic.

sorry, i ought to have added that #c/user changes per-process data,
not per-namespace data,
so it changes the data for the echo process, not for the rc.

/sys/src/9/port/auth.c:/^userwrite

userwrite(char *a, int n)
{
	if(n!=4 || strncmp(a, "none", 4)!=0)
		error(Eperm);
	kstrdup(&up->user, "none");	/* note use of up-> */
	up->basepri = PriNormal;
	return n;
}

Re: [9fans] Novice question - run as other

[David Tolpin]

> >>My question was how to do the same from rc. 
> >>@{echo -n none > '#c/user' ; while() {sleep 1} }
> >>succeeds but does not change the owner of the process. Why?
>
> aha! when that message arrived, i was just writing one to point out that you need to take
> care that you stay in the same process as changes #c/user.  in the case above,
> it does indeed change for the process that writes to #c/user (ie, the echo -n none)
> but of course that process ends, and the parent shell carries on to run
> 	while() {...}
> which happens in a different process from the echo!
>

Thank you for the comment. I really don't realize a simple thing.
Will go and look into the source code of rc. I thought redirection
would mean I would modify rc's #c/user. I don't understand something
basic.

Thanks again

Re: [9fans] Novice question - run as other

[David Tolpin]

> Regrettably auth/none is undocumented.  This sometimes happens.  You
> do however have the sources and grep, and /sys/src/cmd/auth would have
> been an obvious place to look.

But my question is not about authentication. My novice 
question is about a basic thing I don't understand about rc,
not about authentication.

The question has been stated clearly, and was not answered -- and
its your right not to answer it. But I have no use of answers to
questions I did not ask. auth/none does nothing httpd and listen do,
and I did read the code for them before asking.

> I had been reserving judgement on whether or not you (David Tolpin)
> really are the ungrateful punk that you appeared to be in all your
> other interactions on 9fans.  I have now concluded that you are.  Many
> of us have tried to help you, most of us civilly, and you've responded
> like a spoiled snot-nosed kid who thinks he's entitled to answers and
> that we have some obligation to provide them.  So I'm now deleting
> your messages on contact.

You are welcome.

David Tolpin

Re: [9fans] Novice question - run as other

[Charles Forsyth]

>>My question was how to do the same from rc. 
>>@{echo -n none > '#c/user' ; while() {sleep 1} }
>>succeeds but does not change the owner of the process. Why?

aha! when that message arrived, i was just writing one to point out that you need to take
care that you stay in the same process as changes #c/user.  in the case above,
it does indeed change for the process that writes to #c/user (ie, the echo -n none)
but of course that process ends, and the parent shell carries on to run
	while() {...}
which happens in a different process from the echo!

Re: [9fans] Novice question - run as other

[Geoff Collyer]

Regrettably auth/none is undocumented.  This sometimes happens.  You
do however have the sources and grep, and /sys/src/cmd/auth would have
been an obvious place to look.

I had been reserving judgement on whether or not you (David Tolpin)
really are the ungrateful punk that you appeared to be in all your
other interactions on 9fans.  I have now concluded that you are.  Many
of us have tried to help you, most of us civilly, and you've responded
like a spoiled snot-nosed kid who thinks he's entitled to answers and
that we have some obligation to provide them.  So I'm now deleting
your messages on contact.

Re: [9fans] Novice question - run as other

[David Tolpin]

> >> > a program from a shell script and change the user it runs as.
> >>
> >> The security model doesn't allow this. Perhaps by running it as a service
> >> on a cpu.  Check /sys/src/cmd/auth/cron.c and cap(3).  For somethings
> >> you can cpu over and change to a different uid:
> > 
> > The following works:
> ...
> > 	fd>=0 && (write(fd,"none",strlen("none"))!=-1)
>
> That's not what you asked.
>

? Is none not user?

cpu% grep none /adm/users
0:none:adm

cpu% none
cat /env/user
none

I want a program to run as a different user. From C, it means opening
'#c/user' and writing the user's name there. The security model is
a separate issue, the call either succeeds or fails, 
but it is a consequence of security limitations, and not of the API.

My question was how to do the same from rc. 

@{echo -n none > '#c/user' ; while() {sleep 1} }

succeeds but does not change the owner of the process. Why?

David

Re: [9fans] Novice question - run as other

[David Tolpin]

> Switching to `none' is a special case.  You have to authenticate

I know that.

> cryptographically to become any other user.  If you want to really
> become none and actually change your access rights, you have to do

I want the process to be owned by none. 

> more, notably newns().  

Yes, I know that.

I didn't think it would help to add one more
call to the C code that did what it should. My puprose was to
ask whether I can do it from rc(1) without calling C programs.
If I can't that's fine, I just wanted to know whether I missed
something.

> See /bin/auth/none and its source.

OK. would help mentioning it in man somewhere.

David

Re: [9fans] Novice question - run as other

[Geoff Collyer]

Switching to `none' is a special case.  You have to authenticate
cryptographically to become any other user.  If you want to really
become none and actually change your access rights, you have to do
more, notably newns().  See /bin/auth/none and its source.

Re: [9fans] Novice question - run as other

[David Tolpin]

> > a program from a shell script and change the user it runs as.
>
> The security model doesn't allow this. Perhaps by running it as a service
> on a cpu.  Check /sys/src/cmd/auth/cron.c and cap(3).  For somethings
> you can cpu over and change to a different uid:

The following works:

cpu% cat > test.c
#include <u.h>
#include <libc.h>

void main(int argc,char **argv) {
	int fd = open("#c/user",OWRITE);

	if(argc==1) exits("argument required");
	fd>=0 && (write(fd,"none",strlen("none"))!=-1)
	|| (exits("cannot become none"),1);
	close(fd);

  	exec(argv[1], argv+1);
}
^D
cpu% 8c test.c
cpu% 8l test.8
cpu% 8.out /bin/rc -c 'while () {}'

In another window

cpu% ps -a|grep 8.out
none           4546    0:15   0:00     244K Ready    /bin/rc -c 'while () {}'

How can I do this without the code in C?

David

Re: [9fans] Novice question - run as other

[9nut]

> I'm missing something basic and cannot figure out. How can I run
> a program from a shell script and change the user it runs as.

The security model doesn't allow this. Perhaps by running it as a service
on a cpu.  Check /sys/src/cmd/auth/cron.c and cap(3).  For somethings
you can cpu over and change to a different uid:

% cpu  -a netkey
user[dvd]: glenda
challenge: 2304
response: 
etc.

You could also drawterm as a different user.