From: erik quanstrom <quanstro@quanstro.net>
To: 9fans@9fans.net
Subject: Re: [9fans] sendfd() on native Plan 9?
Date: Tue, 30 Dec 2008 10:31:19 -0500 [thread overview]
Message-ID: <a3fe2d1742ad4715ded95ccc69e6409b@quanstro.net> (raw)
In-Reply-To: <20081230082245.GA8355@masters10.cs.jhu.edu>
> If one buys this argument, then namespaces are not valid security constructs
they are not security constructs at all. though ftpd and a few friends
use rfork(2) to create a pgrp that doesn't allow attaches. very simple
and effictive, but probablly not strong security.
> either, and Plan 9 security boundaries are defined solely by user id.
on the cpu server and authentication server , this is true. on the file
server, group also matters.
> That is, the claim that "a process spawned without access to your home directory
> cannot get it" is flawed if that process runs as your user.
use RFNOMNT.
> (Even if I can't mount it, I can attach a debugger to a process that can and make it
> make system calls for me. You now have to intermediate my #p (/proc)
> service.
factotum protects against this by making itself undebuggable and
unpagable. /sys/src/cmd/auth/factotum/fs.c:/^private
also, binding '#p' into the namespace isn't required for everything.
combined with rfork(RFNOMNT), nor is providing network services.
> You have to ensure that I can't dial it and authenticate with
> factotum. It's a mess!)
how would that attack work?
supposing that you have a fully jailed process. if it has a connection
to the fileserver, which does do security by user id, the jailed process
can still mess with you. say by deleting all your files.
i think the real question here is why don't you trust your
processes? is it because someone else is running them
> I may be tainted by the capability microkernel koolaid, but I don't like the
> idea that users are the sole security domain objects, and I really dislike
> that I can build stronger security constructs when using multiple kernels
> rather than just one.
i don't understand this.
this doesn't seem like a compelling reason to turn namespaces into
containers. for the reasons you cite, containers are also unattactive
solutions to security problems.
- erik
next prev parent reply other threads:[~2008-12-30 15:31 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-12-23 18:01 Nathaniel W Filardo
2008-12-23 22:52 ` Rodolfo kix Garcia
2008-12-23 23:53 ` Francisco J Ballesteros
2008-12-24 1:10 ` Nathaniel W Filardo
2008-12-24 1:39 ` erik quanstrom
2008-12-24 3:00 ` Nathaniel W Filardo
2008-12-24 4:14 ` erik quanstrom
2008-12-24 7:36 ` Nathaniel W Filardo
2008-12-24 13:36 ` erik quanstrom
2008-12-27 20:27 ` Roman Shaposhnik
2008-12-27 20:34 ` Eric Van Hensbergen
2008-12-27 20:21 ` Roman Shaposhnik
2008-12-30 8:22 ` Nathaniel W Filardo
2008-12-30 15:04 ` Eric Van Hensbergen
2008-12-30 15:31 ` erik quanstrom [this message]
2009-01-01 22:53 ` Roman V. Shaposhnik
2009-01-01 23:57 ` Nathaniel W Filardo
2009-01-03 21:23 ` Roman V. Shaposhnik
2009-01-03 21:41 ` erik quanstrom
2009-01-03 21:59 ` Roman V. Shaposhnik
2009-01-03 23:57 ` Nathaniel W Filardo
2009-01-04 5:19 ` lucio
2009-01-04 5:48 ` erik quanstrom
2009-01-04 6:10 ` Nathaniel W Filardo
2009-01-04 6:43 ` lucio
2009-01-05 1:12 ` Roman V. Shaposhnik
2009-01-05 1:32 ` erik quanstrom
2009-01-05 3:48 ` lucio
2009-01-04 17:32 ` erik quanstrom
2009-01-04 18:23 ` lucio
2009-01-05 1:24 ` Roman V. Shaposhnik
2009-01-04 5:58 ` Nathaniel W Filardo
2009-01-04 6:26 ` lucio
2009-01-04 15:46 ` erik quanstrom
2009-01-05 4:30 ` Roman V. Shaposhnik
2008-12-24 1:17 ` Nathaniel W Filardo
2008-12-27 17:06 ` Russ Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a3fe2d1742ad4715ded95ccc69e6409b@quanstro.net \
--to=quanstro@quanstro.net \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).