From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: Date: Mon, 10 Oct 2011 13:39:14 +0100 Message-ID: From: Charles Forsyth To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] p9any auth in u9fs: uid value in ticked is ignored Topicbox-Message-UUID: 359987d8-ead7-11e9-9d60-3106f5b1d025 It's true that the server must take account of the result of authentication, but although that might not mean identity, the results of authentication should be consistent with the name presented as uname in Tauth/Tattach. In the context of p9auth I think that means that the cuid of AuthInfo should match. That doesn't preclude the server from having a more subtle acquisition of authority, for instance by having an auth file that's kept open, allowing incremental authentication using another protocol. On 10 October 2011 13:07, Yaroslav wrote: > There is a security problem with p9auth in u9fs: it uses uname from > Tauth/Tattach as user's identity - ignoring the user id which has been > authenticated to the auth server. =C2=A0As uname is always set to up->use= r > in devmnt, this means that: >