From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <941cc240e9368544f7edceaee74294f4@9srv.net> Date: Mon, 25 Feb 2013 11:56:31 +0000 Message-ID: From: Charles Forsyth To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary=f46d0438ee615f675204d68b3bd5 Subject: Re: [9fans] What's up with $home? And a security question. Topicbox-Message-UUID: 1eca65e4-ead8-11e9-9d60-3106f5b1d025 --f46d0438ee615f675204d68b3bd5 Content-Type: text/plain; charset=UTF-8 "My other question is: what's the security implications of cpu? You get to do processes on the remote box, but then they also get to have filesystem access on yours. " If you don't entirely trust the cpu server, you *should* export a name space from your terminal, limit the processes on the cpu server to just that name space, be careful what's in that space, including how you've set permissions, and which user is doing the export. That way, your terminal (which is under your control, allowing for SMI, BIOS, UEFI, bugs ...) acts as the reference monitor to your files. It's also easy to make a 9P filter that ensures read-only access on an arbitrary 9P connection, so that even if permissions are wrong, permanent damage is prevented. It's just a few dozen lines, much of that boilerplate. I say "terminal" above, but it applies to any device or your own servers that connect to the untrusted server. Ordinarily, the cpu server has access to files and devices at /mnt/term, but you control that access at the terminal. On the cpu server itself, however, for the cpu server to access your files directly from the file server, when you first mount /srv/boot to form the root of a name space on the cpu server, you normally give the server implicit permission to speak for you to the file server in all subsequent transactions from that mount point, because it is multiplexing the requests of many users on that same connnection, and you trust that it won't (say) deviously or carelessly allow another user's process to access a fid that you've Tauth'd and Tattach'd, giving full access as you to all your files, perhaps long after you've disconnected. --f46d0438ee615f675204d68b3bd5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
"My other question is: what's the security implic= ations of cpu? =C2=A0You
get to do processes on the remote box, but the= n they also get to have
filesystem access on yours. "

If you don't entirely trust the cpu server, you *should* export a name = space from your terminal,
limit the processes on the cpu server t= o just that name space, be careful what's in that space, including how<= /div>
you've set permissions, and which user is doing the export. = That way, your terminal (which is under
your control,= allowing for SMI, BIOS, UEFI, bugs ...) acts as the reference monitor to y= our files. It's also easy to make a 9P filter that ensures
read-only access on an arbitrary 9P connection, so that even if = permissions are wrong, permanent
damage is prevented. It= 9;s just a few dozen lines, much of that boilerplate. I say "terminal&= quot; above,
but it applies to any device or your own servers that connect to= the untrusted server.

Ordinarily, the= cpu server has access to files and devices at /mnt/term, but you control t= hat access at the terminal.
On the cpu server itself, however, for the cpu server to access = your files directly from the file server, when you
first mo= unt /srv/boot to form the root of a name space on the cpu server, you norma= lly give the server implicit permission to speak for you to the file server=
in all subsequent transactions from that mount point, because it= is multiplexing the requests of many users
on that same co= nnnection, and you trust that it won't (say) deviously or carelessly al= low another
user's process to access a fid that you've Tauth'd a= nd Tattach'd, giving full access as you to all your files,
perhaps long after you've disconnected.
--f46d0438ee615f675204d68b3bd5--