[9fans] allow

[9fans] allow

[tapique]

hi,

this works for me on fossil like 'disk/kfscmd allow' does on kfs:

term% con /srv/fscons
prompt: uname adm +pac
prompt: uname adm -pac


however, is this the right way to temporarily circumvent permissions??

thanks,
++pac.



--------------------------
Posílejte SMS přes internet zdarma a bez reklamy. Pouze s TISCALI.
Více na http://www.tiscali.cz

Re: [9fans] allow

[Lucio De Re]

> however, is this the right way to temporarily circumvent permissions??

I have a

	prompt: srv -APW fossil

in the config file and only

	% mount -c /srv/fossil /n/fossil

where required.  The replica/network script does a similar thing.  The
permissions on /srv/fossil are adequate protection and it seems they
can be altered to no avail (last time I tried).

In passing, does

	% rm /srv/fossil

reverse the above fossilcons command?  And

	% rm /srv/fscons

?  I'm not sure I ought to test this.

++L

Re: [9fans] allow

[arisawa]

> this works for me on fossil like 'disk/kfscmd allow' does on kfs:
>
> term% con /srv/fscons
> prompt: uname adm +pac
> prompt: uname adm -pac
>
>
> however, is this the right way to temporarily circumvent permissions??
>

term% mkdir /n/f  # need only once
term% echo srv -APW f | con /srv/fscons
term% 9fs f
term%

then you can do every thing without permission in /n/f/*
this is very very convenient.
and I have a script named "-f", the usage example is
-f chgrp staff foo
You will find the code at /n/source/arisawa/misc/-f

Kenji Arisawa

Re: [9fans] allow

[Heiko Dudzus]

Lucio De Re wrote:
> > however, is this the right way to temporarily circumvent permissions??
> I have a
>
> 	prompt: srv -APW fossil
>
> in the config file and only
>
> 	% mount -c /srv/fossil /n/fossil

[snip]

> In passing, does
>
> 	% rm /srv/fossil
>
> reverse the above fossilcons command?  And
>
> 	% rm /srv/fscons
>
> ?  I'm not sure I ought to test this.

prompt: srv -d fossil

removes the srv file.

Re: [9fans] allow

[Lucio De Re]

> prompt: srv -d fossil
>
> removes the srv file.

Well, that's consistent, I hadn't even thought about it.  I think
Russ's 9p library deals with the condition I was being curious about,
but I haven't looked that deep.  If I remember right, rm /srv/ftpfs,
typically, causes ftpfs to terminate.  Fossil is more complicated (and
close has not been implemented, last I looked, as one small, unrelated
quibble), so I'm edging my bets :-)

++L

Re: [9fans] allow

[arisawa]

Hello,

Douglas A. Gwyn wrote:
>presotto@plan9.bell-labs.com wrote:
>> Cron in such a system becomes much harder.  The cron process has  
to
>> possess some of  my private keys in order to do it's job.
>
>I don't see that -- surely a "user" could fire up its own cron-ish
>process to perform scheduled tasks.  Why does there have to be a
>centralized "cron"?

I also think we can discard "cron from authserver" if it is hard to  
build public key system.
As a matter of fact, I am using a cron that was rewritten to be  
executed without authserver. I think the cron from authserver is
unnecessarily complicated.

Kenji Arisawa
E-mail: arisawa@aichi-u.ac.jp

Re: [9fans] allow

[Douglas A. Gwyn]

presotto@plan9.bell-labs.com wrote:
> Cron in such a system becomes much harder.  The cron process has to
> possess some of  my private keys in order to do it's job.

I don't see that -- surely a "user" could fire up its own cron-ish
process to perform scheduled tasks.  Why does there have to be a
centralized "cron"?

Re: [9fans] allow

[presotto]

[-- Attachment #1: Type: text/plain, Size: 1515 bytes --]

I'ld tend to agree with this.  Kfs for us is primarily a toy that we
use only on a few standalone systems that we'ld never type allow on.
All of our other systems are 'file system'-less.  Hostowner controls
local resources and, as such, is a superuser for that box.  To a lesser
extent, it can be a superuser to a larger domain since the authentication
server will allow some id's to 'speak for' other id's when connecting
to resources.  I'm currently toying with a complete public key based
system that doesn't even have this speaks for relation so that there
is no super-user.  This arrangement makes a lot of things nicer but
makes somethings more awkward.  For example, I can have a hostagent
running on my terminal that brokers all authentication for my processes,
even ones on cpu servers.  However, when making calls out from a cpu
server, I still have to trust the owner of that cpu server to be running
a system that does what my processes ask it to.  Hence, I'm trusting the
host owner making him a super-user of sorts.  However, the sphere of trust
can be much more arbitrariy and egocentric and I like that.

Cron in such a system becomes much harder.  The cron process has to
possess some of  my private keys in order to do it's job.  I could
limit its ability by certifying scripts that it runs but that's more
work.  However, I think I'm going to bite the bullet and do it.

I'm much enamoured of Mazieres' SFS.  I'ld like to make our authentication
mechanism as easy to use.

[-- Attachment #2: Type: message/rfc822, Size: 2642 bytes --]

From: arisawa@ar.aichi-u.ac.jp
To: 9fans@cse.psu.edu
Subject: Re: [9fans] allow
Date: Fri, 14 Jul 2000 20:25:46 -0400 (EDT)
Message-ID: <20000714235707.287.qmail@nx.aichi-u.ac.jp>

Hello,

Rob Pike said:
>Better ideas (short of a superuser) are welcome.

and pip@stricca.org:
>Maybe the use of smart cards might be a solution.

I think it is an illusion that we can protect local file system
from someone who can touch keyboard of the machine.
Plan9 has a good solution for the terminals that are shared by
more than one person. That is, "it is best to purge local file  
systems."

On the other hand, There are terminals that are used and managed
by a single person. We need not worry about malicious operations
by the owner. I believe kfs is intended for this case.

UNIX "root" is a formal administrative account. The account worked
well until machines were very expensive. But now every one can have
machines that run UNIX; and then, inconvenience and insecureness are  
left for us.

Plan9 introduced "host owner" instead of "root". Both govern the  
machine. Therefore they are superusers.
I think problem with kfs is in that it does not make distinguish
between "host owner" and others.
"host owner" is, in fact, a special user in terminals and/or  
servers.
Therefore, I think some operations should be limited only to host  
owner.
For example, "disk/kfscmd allow" should allow only to host owner to
ignore access permission.

Kenji Arisawa
E-mail: arisawa@aichi-u.ac.jp

Re: [9fans] allow

[arisawa]

Hello,

Rob Pike said:
>Better ideas (short of a superuser) are welcome.

How about is the followings?
1. Storage device is owned by user adm.
2. ^X key (for example) swaps consoles of user adm and hostowner.
3. disk/* can be executed only by user adm.

Please forgive me if I misunderstand what you said.

Kenji Arisawa
E-mail: arisawa@aichi-u.ac.jp

Re: [9fans] allow

[arisawa]

Hello,

Rob Pike said:
>Better ideas (short of a superuser) are welcome.

and pip@stricca.org:
>Maybe the use of smart cards might be a solution.

I think it is an illusion that we can protect local file system
from someone who can touch keyboard of the machine.
Plan9 has a good solution for the terminals that are shared by
more than one person. That is, "it is best to purge local file  
systems."

On the other hand, There are terminals that are used and managed
by a single person. We need not worry about malicious operations
by the owner. I believe kfs is intended for this case.

UNIX "root" is a formal administrative account. The account worked
well until machines were very expensive. But now every one can have
machines that run UNIX; and then, inconvenience and insecureness are  
left for us.

Plan9 introduced "host owner" instead of "root". Both govern the  
machine. Therefore they are superusers.
I think problem with kfs is in that it does not make distinguish
between "host owner" and others.
"host owner" is, in fact, a special user in terminals and/or  
servers.
Therefore, I think some operations should be limited only to host  
owner.
For example, "disk/kfscmd allow" should allow only to host owner to
ignore access permission.

Kenji Arisawa
E-mail: arisawa@aichi-u.ac.jp

Re: [9fans] allow

[Randolph Fritz]

On Fri, Jul 14, 2000 at 02:51:21PM -0400, pip@namaste.stricca.org wrote:
> 
> The reason 'allow' is fine on the stand-alone file fileserver is because
> of physical security. Is it possibly to provide a similar facility in the 
> context of the general purpose system ? Maybe the use of smart cards
> might be a solution. At system configuration time, you config the 
> system to recognize the bearer of a particular card as the admin.
> 

This could be done relatively simply with Dallas Semiconductor's
iButton, which you can read about at <http://www.ibutton.com>.  The
gadget and its interface are quite inexpensive.  And they sell a
decoder ring version.  Really.

-- 
Randolph Fritz
Eugene, Oregon, USA

Re: [9fans] allow

[pip]

[-- Attachment #1: Type: text/plain, Size: 572 bytes --]

Hi

This may seem a bit cumbersome when you initially think about it,
but :

The reason 'allow' is fine on the stand-alone file fileserver is because
of physical security. Is it possibly to provide a similar facility in the 
context of the general purpose system ? Maybe the use of smart cards
might be a solution. At system configuration time, you config the 
system to recognize the bearer of a particular card as the admin.

Whenever you need to admin the system, insert the smartcard, do
stuff, pull it out, capability gone. 

just a thought.
-
pip


[-- Attachment #2: Type: message/rfc822, Size: 1869 bytes --]

From: "rob pike" <rob@plan9.bell-labs.com>
To: 9fans@cse.psu.edu
Subject: [9fans] allow
Date: Fri, 14 Jul 2000 10:18:54 -0400
Message-ID: <200007141418.KAA00244@cse.psu.edu>

"Allow" is a wretched thing.  It was put in the original file server code for
bootstrapping, and only gets turned on during administrative hell.  When
that code was adapted to form kfs, the same necessity led to the same
solution, but it is a far more dangerous, nasty, foul thing in that context.
The reason is that the stand-alone file server has a true console and is not
a general-purpose operating system, while kfs runs as a traditional file
server on a general-purpose machine.

Better ideas (short of a superuser) are welcome.

-rob

[9fans] allow

[rob pike]

"Allow" is a wretched thing.  It was put in the original file server code for
bootstrapping, and only gets turned on during administrative hell.  When
that code was adapted to form kfs, the same necessity led to the same
solution, but it is a far more dangerous, nasty, foul thing in that context.
The reason is that the stand-alone file server has a true console and is not
a general-purpose operating system, while kfs runs as a traditional file
server on a general-purpose machine.

Better ideas (short of a superuser) are welcome.

-rob