Re: [9fans] Virtual memory & paging

[Ronald G Minnich <rminnich@lanl.gov>]

On Fri, 15 Feb 2002, Richard Uhtenwoldt wrote:

> I didn't know about your work on private namespaces for Linux until
> about 3-6 months ago.  Can't recall exactly when.  I think I saw an
> announce on Slashdot and short afterward you mentioned it here.

Well I tried once or twice to get papers on it published ca. 1996. It
finally got accepted at a conference in France in 1999, where I learned
just how bad my French has gotten as I tried to follow the talks. But I
got to speak in English, so nobody understood me either. Interesting. I
wonder what if anything I communicated :-) [[ Although in general French
CS researcher's English beats my French]]

The attitude in the US (and Usenix and DARPA) community until not long ago
was "what a stupid idea private name spaces are, you can hack that into
Unix with chroot/jail/whatever" (some reviewer's comments from various
Usenix conferences were just AMAZING). So I got to feel in miniature the
frustration the plan9 guys must have felt for the last decade+ trying to
get these ideas across ...

Not long ago it has started to move to "... we're doing that already" (as
recently stated by one of the Linux core guys, forwarded to me by
somebody). ah well. At least it's happening. (but all the other Unix
problems remain intact).

I actually started this work in the early 90s because while Unix is the
wrong way to build big distributed computing systems, I saw no way out of
the Unix box, and it seemed Plan 9 would never get unlocked. Of course,
now Grids are all the rage, and they're being built with Unix and NT
(s/Unix/Linux/ if you wish). And of course they're horribly insecure. And
nobody seems to want to talk about it -- it might interrupt funding, and
switching OSes is hard.

Just one example: in Globus, all remote users (according to a recent talk
I saw) run as the "GLOBUS user" (same integer UID -- think about it, it's
hard to do it many other ways on Unix). Imagine the following scenario: I
get on to a machine as a GLOBUS user, I fork, parent exits. I wait for
some other globus user, then I hijack them via ptrace. Then I do terrible
things to them -- including go after their files, etc. Easy, easy, easy
on Unix. Chroot has no power over the PID space.

So one proposed fix? Use DYNINST to rewrite the binary to dynamically
change all my system calls (system calls get forwarded, I guess, as in
Condor) so that the hijacker can't guess what you're doing. Sort of
encrypting system calls. It is claimed this is a good idea.

YUCK.

I pointed out to the speaker that if he built his system on Plan 9, this
type of thing is not an issue: no global integer UID space, no common
GLOBUS user, no global PID space, no hijack potential. Response: "Nobody
uses Plan 9, it's been shut down, nobody is working on it". My response,
in short: "bullshit". His response, "Yes but nobody is using it, we all
use Linux, so it doesn't matter if it is better". Gosh, I remember when
people said all this stuff about Unix.

"Meet the new boss, same as the old boss".

ron