* [9front] no more auth in exportfs(4)?
@ 2021-09-30 19:32 me
2021-10-01 8:49 ` cinap_lenrek
0 siblings, 1 reply; 5+ messages in thread
From: me @ 2021-09-30 19:32 UTC (permalink / raw)
To: 9front
I am trying to PXE boot to my raspberry pi 2, currently acting as
fs, auth and cpu. I boot a laptop over PXE and it works all good,
but the laptop does not have write access to its filesystem.
By running "allow" on /srv/hjfs.cmd, I can write, and the files
are created as user none, the same user as exportfs.
Starting with commit 27a83106f4b5b68d77afa8f800d92398163a7043 there
is no more authentication on exportfs:
- if(na == nil && doauth){
- /*
- * We use p9any so we don't have to visit this code again, with the
- * cost that this code is incompatible with the old world, which
- * requires p9sk2. (The two differ in who talks first, so compatibility
- * is awkward.)
- */
- ai = auth_proxy(0, auth_getkey, "proto=p9any role=server %s", keyspec);
- if(ai == nil)
- fatal("auth_proxy: %r");
- if(nonone && strcmp(ai->cuid, "none") == 0)
- fatal("exportfs by none disallowed");
- if(auth_chuid(ai, nsfile) < 0)
- fatal("auth_chuid: %r");
- else { /* chown network connection */
- Dir nd;
- nulldir(&nd);
- nd.mode = 0660;
- nd.uid = ai->cuid;
- dirfwstat(0, &nd);
- }
- putenv("service", "exportfs");
- }
auth_chuid() is what I think am after: writing to capuse.
The long-ish comment seens ti refer to the changes described in
/sys/doc/auth.ps that put factotum as main auth agent.
Is that feature of plan9 moving somewhere else? Am I having the
wrong approach? If it is a work in progress?
I will try a patch adding auth code into exportfs in the meantime,
that will be a good exercise anyway.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [9front] no more auth in exportfs(4)?
2021-09-30 19:32 [9front] no more auth in exportfs(4)? me
@ 2021-10-01 8:49 ` cinap_lenrek
2021-10-01 9:11 ` [9front] [PATCH] inherit the auth_chid to exportfs Josuah Demangeon
0 siblings, 1 reply; 5+ messages in thread
From: cinap_lenrek @ 2021-10-01 8:49 UTC (permalink / raw)
To: 9front
the authentication removed here is *NOT* 9p authentication
(using Tauth request) but the old import protocol that
runs before the 9p phase.
theres an oexportfs(4) that still has it, we just dont want to
pollute exportfs with the legacy cruft.
in rcpu/rimport, we do not need authentication at exportfs
level, as tlssrv -9 does that phase (plus sets up encrypted
channel), and after it, it is just normal 9p with authentication
disabled. (exportfs is already running as the correct user).
--
cinap
^ permalink raw reply [flat|nested] 5+ messages in thread
* [9front] [PATCH] inherit the auth_chid to exportfs
2021-10-01 8:49 ` cinap_lenrek
@ 2021-10-01 9:11 ` Josuah Demangeon
2021-10-02 19:55 ` cinap_lenrek
0 siblings, 1 reply; 5+ messages in thread
From: Josuah Demangeon @ 2021-10-01 9:11 UTC (permalink / raw)
To: 9front
going through aux/trampoline did not permit to inherit the
user after authentication was made. Executing exportfs
directly and adding the -a flag to tlssrv gives exportfs
the same user as the one that did authenticate.
---
diff c9b48aec544db0ce8a2a1a75b557c44669804e82 8c0fe582cd1ae510f40412ceaff51bd939faa419
--- a/rc/bin/service/tcp17020 Thu Sep 30 16:20:03 2021
+++ b/rc/bin/service/tcp17020 Fri Oct 1 11:11:42 2021
@@ -1,2 +1,2 @@
#!/bin/rc
-exec tlssrv -A /bin/aux/trampoline 'net!$fs!9fs'
+exec tlssrv -Aa exportfs -r /root
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [9front] [PATCH] inherit the auth_chid to exportfs
2021-10-01 9:11 ` [9front] [PATCH] inherit the auth_chid to exportfs Josuah Demangeon
@ 2021-10-02 19:55 ` cinap_lenrek
2021-10-03 9:36 ` sirjofri
0 siblings, 1 reply; 5+ messages in thread
From: cinap_lenrek @ 2021-10-02 19:55 UTC (permalink / raw)
To: 9front
> diff c9b48aec544db0ce8a2a1a75b557c44669804e82 8c0fe582cd1ae510f40412ceaff51bd939faa419
> --- a/rc/bin/service/tcp17020 Thu Sep 30 16:20:03 2021
> +++ b/rc/bin/service/tcp17020 Fri Oct 1 11:11:42 2021
> @@ -1,2 +1,2 @@
> #!/bin/rc
> -exec tlssrv -A /bin/aux/trampoline 'net!$fs!9fs'
> +exec tlssrv -Aa exportfs -r /root
this is just wrong!
t9fs service is supposed to dial the disk fileserver,
you don't just run a exportfs there.
re-exporting your local namespace's /root is different
form dialing the fileserver directly. it is just needless
overhead and would break stuff like 9fs dump.
it also breaks multiuser because exportfs does not
support Tauth over 9p.
--
cinap
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [9front] [PATCH] inherit the auth_chid to exportfs
2021-10-02 19:55 ` cinap_lenrek
@ 2021-10-03 9:36 ` sirjofri
0 siblings, 0 replies; 5+ messages in thread
From: sirjofri @ 2021-10-03 9:36 UTC (permalink / raw)
To: 9front
02.10.2021 21:55:26 cinap_lenrek@felloff.net:
> this is just wrong!
>
> t9fs service is supposed to dial the disk fileserver,
> you don't just run a exportfs there.
>
> re-exporting your local namespace's /root is different
> form dialing the fileserver directly. it is just needless
> overhead and would break stuff like 9fs dump.
>
> it also breaks multiuser because exportfs does not
> support Tauth over 9p.
It's possible that this is my error on eu.9p.zone. How would I reliably
export the fs to other cpus with tls and without standard 564?
sirjofri
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-10-03 10:13 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-30 19:32 [9front] no more auth in exportfs(4)? me
2021-10-01 8:49 ` cinap_lenrek
2021-10-01 9:11 ` [9front] [PATCH] inherit the auth_chid to exportfs Josuah Demangeon
2021-10-02 19:55 ` cinap_lenrek
2021-10-03 9:36 ` sirjofri
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).