From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=ham
	autolearn_force=no version=3.4.4
Received: (qmail 17078 invoked from network); 22 Jan 2021 17:04:54 -0000
Received: from 1ess.inri.net (216.126.196.35)
  by inbox.vuxu.org with ESMTPUTF8; 22 Jan 2021 17:04:54 -0000
Received: from 5ess.inri.net ([107.191.111.177]) by 1ess; Fri Jan 22 11:35:01 -0500 2021
Received: from [127.0.0.1] ([104.59.85.219]) by 5ess; Fri Jan 22 11:34:59 -0500 2021
Date: Fri, 22 Jan 2021 11:34:56 -0500
From: Stanley Lieber <sl@stanleylieber.com>
To: 9front@9front.org
In-Reply-To: <CAFSF3XN=vqdLCL00TJddr3aNE+QaFkfpFubDH-WuGC+L2ZayBQ@mail.gmail.com>
References: <E7B09631AD13EB03A8C4C8636D7AF4B0@5ess.inri.net> <711bec9a-10ff-485b-a3f6-1f8ece8e9344@sirjofri.de> <51CA2B17-9324-4D5E-957D-7BFB7FDF7892@stanleylieber.com> <CAFSF3XN=vqdLCL00TJddr3aNE+QaFkfpFubDH-WuGC+L2ZayBQ@mail.gmail.com>
Message-ID: <77DF150E-1F8B-4D9E-B143-1DAC71BF2915@stanleylieber.com>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: compliant realtime-java markup JSON over XML out-scaling app 
Subject: [9front] =?US-ASCII?Q?Re=3A_=5B9front=5D_Re=3A_=5B9front=5D_?= =?US-ASCII?Q?fqa_7=2E3=2E3=2E1_-_Stop_cwfs_fro?= =?US-ASCII?Q?m_allowing_user_none_to_attach_without_authentication?=
Reply-To: 9front@9front.org
Precedence: bulk

On January 22, 2021 11:07:22 AM EST, hiro <23hiro@gmail=2Ecom> wrote:
>> they can read any world readable file on the system
>
>sounds like it works as intended, thus the word world=2E
>
>to reject world access without the nonone (which sounds like a hack)
>on our default installed fileservers requires some configuration
>changes as it clearly isn't the default on unix and never was=2E
>
>unless there are cases where you cannot just revoke world access by
>changing those permissions on the filesystem, i would say there is no
>problem=2E
>
>you can never change permissions inside the '#' devices, so there
>might be multiple problems hidden there=2E
>
>do i understand correctly that #p access is always a problem? it would
>be good to make a list=2E
>
>On 1/22/21, Stanley Lieber <sl@stanleylieber=2Ecom> wrote:
>> On January 22, 2021 1:27:48 AM EST, sirjofri
>> <sirjofri+ml-9front@sirjofri=2Ede> wrote:
>>>Hello sl,
>>>
>>>22=2E01=2E2021 03:39:18 sl@stanleylieber=2Ecom:
>>>> echo nonone >>/srv/cwfs=2Ecmd
>>>
>>>Is there some good reason why/when I should do this? How does none
>>>authenticate?
>>>
>>>Does this just disable all anonymous access to the fileserver, like web
>>>servers?
>>>
>>>sirjofri
>>>
>>
>> my understanding is when you enable cwfs network listener user none is
>> allowed to attach over the network by default, no authentication requir=
ed=2E
>> this means they can read any world readable file on the system=2E
>>
>> as far as i can tell nonone is undocumented, but it's in the source=2E =
you'd
>> want to use nonone at boot time (in cpurc, for example)=2E
>>
>> i had this in my own cpurc on my ancient cwfs system, iirc it was cinap=
 who
>> told me to do it=2E somehow i failed to add this to the fqa until now=
=2E
>>
>> sl
>>
>

the surprise gotcha is that by default anyone at all can attach to your fs=
 without explicit permission=2E "world readable" is understood to mean anyo=
ne on the system=2E it wasn't expected that the world has access to the sys=
tem=2E

sl