From mboxrd@z Thu Jan 1 00:00:00 1970 From: miller@hamnavoe.demon.co.uk To: 9fans@cse.psu.edu Date: Tue, 27 Jun 2000 10:39:12 +0100 Subject: Re: [9fans] cpu/file/terminal server of my dream Message-Id: Topicbox-Message-UUID: cbd7ffcc-eac8-11e9-9e20-41e7f4b1d025 Wladimir Mutel writes: Suppose I have basic Plan9 setup (9pcdisk). I log on to its terminal server under my own user name. How then do I give my file- and cpu-services to my unix colleagues, provided they have 9term and wish to connect to my host to know some more about Plan9 ? I think what your Unix colleagues want is not 9term but drawterm(8), "a program that users of non-Plan 9 systems can use to establish graphical cpu(1) connections with Plan 9 CPU servers". The normal way to export the cpu and auth services needed by drawterm is to configure your machine as a cpu server. It is possible to make a Plan 9 terminal listen on cpu and ticket (authentication) ports, but this is not the way Plan 9 is designed to be used. See below... How then do I make a secure file server of my local harddisk (with some use restrictions for disk/kfscmd)? Now anybody can log on locally to terminal server under any name and make anything with local filesystem with kfscmd ! Nothing similar is observed for any unix installation, why is it so insecure under Plan9 ? A normal "production" Plan 9 network is more secure than the average Unix system, because of the separation of file service, cpu service, and user access onto separate machines. A Plan 9 file server (presumably kept behind a locked door) exports only one service to the outside world, which is subject to authentication by a trusted machine. You can't log in to the file server remotely or exploit flaws in obscure network services to run malicious programs there -- in fact the file server can't run anything which is not built into its kernel. A cpu server is a shared system, but can only be accessed via an external connection authenticated by a trusted machine, with no superuser or setuid to break through the separation between user resources, and no chance of bypassing file protections by accessing disk devices directly because they are attached to the file server. Finally, the only machine under physical control of the user is the Plan 9 terminal, which is a intended as a single-user resource, not a server; its local disk, if any, is for swapping and cacheing of temporary copies of files. Subsequent users "login" to a terminal by rebooting from the network, so they know they are talking to a fresh instance of Plan 9 and not to a login spoofing program which a previous user has left running to collect passwords... The real "basic Plan9 setup" -- i.e. the minimal configuration intended to export and use services on a network -- uses at least three machines. The stand alone terminal with a local kfs is a compromise, and doesn't pretend to be secure. I would point out that security is mostly illusory for just about any stand alone machine which is physically accessible, whatever the operating system. Most Unix PC's can be booted in single user mode, or booted from a floppy with a specially doctored kernel. I haven't used Solaris lately, but I know I used to be able to put a Sun into super-user mode in a few seconds by using the ROM monitor to alter a few bytes in kernel memory. I know I need to rebuild a kernel, but among different kernel configurations I did not find one I want. Really, what if I do not want, or simply am unable, to dedicate spare headless machine for file serving (for example, since not having one) ? Yes, it can be useful to make a cpu server act as a file server too; despite the above sermon I admit that I do it sometimes. The distributed system allows for this by using exportfs(4) -- just rename _il17008 and _tcp564 in /rc/bin/service to il17008 and tcp564. But this doesn't provide authentication, and exportfs is rather inefficient and tends to run out of resources. So I've implemented a kfscmd which tells kfs to export a fully authenticated file service to the network. Russ Cox is currently trying this out, so my changes may find their way into the standard system; if not, I can post them to 9fans. I just have a strongest wish for single host to be file and cpu server at the same time, and to become also a terminal server whenever whoever wants to log on it locally (like X-server with xdm). (and to log off it by stopping terminal server but keeping cpu and file servers running). Some years ago, Vadim Antonov posted changes to make a cpu server act as a terminal for successive users -- init(8) reads and authenticates a user name, and control of resources is split between #c/termowner (screen, keyboard, mouse and floppy) and #c/hostowner (everything else). So this is feasible too. But I think it's worthwhile to spend some time getting to know Plan 9 as it is before rushing to make it more like Unix. -- Richard Miller