From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <8c05f41eb1f9a25d256bbe7caf738e82@kw.quanstro.net> References: <46914d2c-437d-406e-a928-123f4d09f9f7@u15g2000prd.googlegroups.com> <9c9e4b12769a946cad1659bb2a83fe0c@coraid.com> <8c05f41eb1f9a25d256bbe7caf738e82@kw.quanstro.net> Date: Mon, 12 Apr 2010 16:01:31 +0100 Message-ID: From: "Devon H. O'Dell" To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] /sys/lib/newuser patch Topicbox-Message-UUID: ffd54e44-ead5-11e9-9d60-3106f5b1d025 2010/4/12 erik quanstrom : >> 2010/4/12 hiro <23hiro@googlemail.com>: >> > I have not the slightest idea about the complexity involved; And I >> > think I misunderstand how much of plan9 is actually running in a >> > sandbox. But what if we wanted to have a working security system for >> > multiple users in 9vx. Would it be - or is it - possible? >> >> Yes, it is possible, but it probably requires writing something to use >> PAM (or whatever authentication mechanism is set up) on the host >> system. I have a few ideas for this. > > iirc, 9vx doesn't have devcap. It does not. (Yet). > the problem you're addressing can't be addressed well through #Z. > unix systems act differently than plan 9 ones do. there are a host > of locking, etc. questions that #Z doesn't handle either. =A0 it would be= easier > to use a plan 9 fs (ken fs, cwfs, fossil). =A0then you wouldn't need to > deal with unix authentication. Probably true. However, I'm confident that there are ways to address it -- and still, one of the cool things about 9vx is the local FS access. When I was doing my 9vx autoprovisioner, the instances would start in a chrooted sandbox, which was the best way I could figure to deal with the permissioning issues at that point in time (without lots o hacking). --dho > - erik > >