From: Stanley Lieber <sl@stanleylieber.com>
To: 9front@9front.org
Subject: [9front] Re: [9front] Re: [9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication
Date: Fri, 22 Jan 2021 11:34:56 -0500 [thread overview]
Message-ID: <77DF150E-1F8B-4D9E-B143-1DAC71BF2915@stanleylieber.com> (raw)
In-Reply-To: <CAFSF3XN=vqdLCL00TJddr3aNE+QaFkfpFubDH-WuGC+L2ZayBQ@mail.gmail.com>
On January 22, 2021 11:07:22 AM EST, hiro <23hiro@gmail.com> wrote:
>> they can read any world readable file on the system
>
>sounds like it works as intended, thus the word world.
>
>to reject world access without the nonone (which sounds like a hack)
>on our default installed fileservers requires some configuration
>changes as it clearly isn't the default on unix and never was.
>
>unless there are cases where you cannot just revoke world access by
>changing those permissions on the filesystem, i would say there is no
>problem.
>
>you can never change permissions inside the '#' devices, so there
>might be multiple problems hidden there.
>
>do i understand correctly that #p access is always a problem? it would
>be good to make a list.
>
>On 1/22/21, Stanley Lieber <sl@stanleylieber.com> wrote:
>> On January 22, 2021 1:27:48 AM EST, sirjofri
>> <sirjofri+ml-9front@sirjofri.de> wrote:
>>>Hello sl,
>>>
>>>22.01.2021 03:39:18 sl@stanleylieber.com:
>>>> echo nonone >>/srv/cwfs.cmd
>>>
>>>Is there some good reason why/when I should do this? How does none
>>>authenticate?
>>>
>>>Does this just disable all anonymous access to the fileserver, like web
>>>servers?
>>>
>>>sirjofri
>>>
>>
>> my understanding is when you enable cwfs network listener user none is
>> allowed to attach over the network by default, no authentication required.
>> this means they can read any world readable file on the system.
>>
>> as far as i can tell nonone is undocumented, but it's in the source. you'd
>> want to use nonone at boot time (in cpurc, for example).
>>
>> i had this in my own cpurc on my ancient cwfs system, iirc it was cinap who
>> told me to do it. somehow i failed to add this to the fqa until now.
>>
>> sl
>>
>
the surprise gotcha is that by default anyone at all can attach to your fs without explicit permission. "world readable" is understood to mean anyone on the system. it wasn't expected that the world has access to the system.
sl
next prev parent reply other threads:[~2021-01-22 17:04 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-22 2:39 sl
2021-01-22 6:27 ` sirjofri
2021-01-22 15:48 ` [9front] " Stanley Lieber
2021-01-22 16:07 ` hiro
2021-01-22 16:34 ` Stanley Lieber [this message]
2021-01-22 17:04 ` [9front] " hiro
2021-01-22 18:19 ` [9front] " Stanley Lieber
2024-07-07 13:56 ` Özgür Kesim
2024-07-07 14:22 ` ori
2024-07-07 15:02 ` Özgür Kesim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=77DF150E-1F8B-4D9E-B143-1DAC71BF2915@stanleylieber.com \
--to=sl@stanleylieber.com \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).