From: Charles Forsyth <charles.forsyth@gmail.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] What's up with $home? And a security question.
Date: Mon, 25 Feb 2013 11:56:31 +0000 [thread overview]
Message-ID: <CAOw7k5iFr6Adxo=D_qNJze5X9Tpa7kHM667qyGp6Ng80YULYXw@mail.gmail.com> (raw)
In-Reply-To: <CAJQxxwmxSgfOiKsbkcNmB2Lt79ZW804SF6fGFEMxS0O1J1g5SA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1691 bytes --]
"My other question is: what's the security implications of cpu? You
get to do processes on the remote box, but then they also get to have
filesystem access on yours. "
If you don't entirely trust the cpu server, you *should* export a name
space from your terminal,
limit the processes on the cpu server to just that name space, be careful
what's in that space, including how
you've set permissions, and which user is doing the export. That way, your
terminal (which is under
your control, allowing for SMI, BIOS, UEFI, bugs ...) acts as the reference
monitor to your files. It's also easy to make a 9P filter that ensures
read-only access on an arbitrary 9P connection, so that even if permissions
are wrong, permanent
damage is prevented. It's just a few dozen lines, much of that boilerplate.
I say "terminal" above,
but it applies to any device or your own servers that connect to the
untrusted server.
Ordinarily, the cpu server has access to files and devices at /mnt/term,
but you control that access at the terminal.
On the cpu server itself, however, for the cpu server to access your files
directly from the file server, when you
first mount /srv/boot to form the root of a name space on the cpu server,
you normally give the server implicit permission to speak for you to the
file server
in all subsequent transactions from that mount point, because it is
multiplexing the requests of many users
on that same connnection, and you trust that it won't (say) deviously or
carelessly allow another
user's process to access a fid that you've Tauth'd and Tattach'd, giving
full access as you to all your files,
perhaps long after you've disconnected.
[-- Attachment #2: Type: text/html, Size: 2024 bytes --]
next prev parent reply other threads:[~2013-02-25 11:56 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CABB-WO9gegFWirXjQhAK0g9vNHn=W2+vwC+bTvRcRDw7xs096g@mail.gmail.c>
2013-02-24 13:29 ` a
2013-02-25 8:49 ` Bruce Ellis
2013-02-25 11:56 ` Charles Forsyth [this message]
2013-02-24 4:27 Erik Quanstrom
2013-02-24 4:53 ` Stuart Morrow
-- strict thread matches above, loose matches on Subject: below --
2013-02-24 2:49 Stuart Morrow
2013-02-24 3:05 ` andrey mirtchovski
2013-02-24 3:43 ` Stuart Morrow
2013-02-24 3:53 ` andrey mirtchovski
2013-02-24 4:19 ` Stuart Morrow
2013-02-24 4:45 ` Federico G. Benavento
2013-02-24 5:06 ` Stuart Morrow
2013-02-24 5:10 ` andrey mirtchovski
2013-02-24 5:20 ` Stuart Morrow
2013-02-24 6:24 ` Bruce Ellis
2013-02-24 7:05 ` Matthew Veety
2013-02-24 7:14 ` Bruce Ellis
2013-02-24 9:31 ` steve
2013-02-24 4:33 ` cinap_lenrek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAOw7k5iFr6Adxo=D_qNJze5X9Tpa7kHM667qyGp6Ng80YULYXw@mail.gmail.com' \
--to=charles.forsyth@gmail.com \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).