From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <20090417020731.A822E5B1B@mail.bitblocks.com> References: <9ab217670904161636p62f77a18ufe0c14ac6245f078@mail.gmail.com> <3535ae9780efe698b30d5c4bf8f5b5b7@quanstro.net> <9ab217670904161825k467a8a4ew31689b207f6ab984@mail.gmail.com> <20090417020731.A822E5B1B@mail.bitblocks.com> Date: Thu, 16 Apr 2009 22:19:21 -0400 Message-ID: <9ab217670904161919na069ecy3fcc06d412307a40@mail.gmail.com> From: "Devon H. O'Dell" To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [9fans] security questions Topicbox-Message-UUID: df60773e-ead4-11e9-9d60-3106f5b1d025 2009/4/16 Bakul Shah : > On Thu, 16 Apr 2009 21:25:06 EDT "Devon H. O'Dell" wrote: >> That said, I don't disagree. Perhaps Plan 9's environment hasn't been >> assumed to contain malicious users. Which brings up the question: Can >> Plan 9 be safely run in a potentially malicious environment? Based on >> this argument, no, it cannot. Since I want to run Plan 9 in this sort >> of environment (and thus move away from that assumption), I want to >> address these problems, and I kind of feel like it's weird to be >> essentially told, ``Don't do that.'' > > Why not give each user a virtual plan9? Not like vmware/qemu > but more like FreeBSD's jail(8), "done more elegantly"[TM]! > To deal with potentially malicious users you can virtualize > resources, backed by limited/configurable real resources. I saw a talk about Mult at DCBSDCon. I think it's a much better idea than FreeBSD jail(8), and its security is provable. See also: http://mult.bsd.lv/ I do like this idea. > The other thought that comes to mind is to consider something > like class based queuing (from the networking world). That > is, allow choice of different allocation/scheduling/resource > use policies and allow further subdivision. Then you can give > preferential treatment to known good guys. Other users can > still experiment to their heart's content within the > resources allowed them. > > My point being think of a consistent high level model that > you like and then worry about implementation details. That's also another interesting idea I hadn't considered. Anybody else with thoughts on these? --dho