Re: [9front] user none: cwfs vs hjfs

9front - general discussion about 9front
 help / color / mirror / Atom feed

From: Stanley Lieber <sl@stanleylieber.com>
To: 9front@9front.org
Subject: Re: [9front] user none: cwfs vs hjfs
Date: Thu, 21 Jan 2021 18:44:18 -0500	[thread overview]
Message-ID: <A3D46C22-70B4-4CA3-8D5E-9496A0DB9DB4@stanleylieber.com> (raw)
In-Reply-To: <CAFSF3XM5cYHSjQnw0q1NUB1Mp_TqCz9VDE5T1RC6xEdjH5urcA@mail.gmail.com>

On January 21, 2021 5:55:00 PM EST, hiro <23hiro@gmail.com> wrote:
>if multiple users need to keep state that is supposed to be separated
>and private, then those users need to authenticate in a reliable way.
>
>for this we have dp9ik, and fileservers can do user-level and even
>group-level separation, so that state can be kept by a single and not
>1 fileserver per user.
>
>On 1/21/21, hiro <23hiro@gmail.com> wrote:
>> why do you think running every service as none is a recommended practice?
>>
>> On 1/21/21, Stanley Lieber <sl@stanleylieber.com> wrote:
>>> On January 21, 2021 5:01:06 PM EST, hiro <23hiro@gmail.com> wrote:
>>>>otoh not fixing hjfs may break security assumptions.
>>>>
>>>
>>> yes. i think we should fix hjfs. a lot of stuff relies on user none doing
>>> what it does in cwfs. the most import thing is that all file systems
>>> behave
>>> the same way.
>>>
>>> that said, relegating user none to world readable files while
>>> simultaneously
>>> running basically every service as none makes isolating services, and
>>> more
>>> blatantly keeping local users out of service files, difficult if not
>>> impossible.
>>>
>>> i think they got lazy with user none. we need some finer grade control
>>> over
>>> user capabilities.
>>>
>>> sl
>>>
>>
>

do you seriously not follow what i'm saying here or are you just trying to map out a solution?

user none masks the special # file system, but (once we fix hjfs) requires world accessible files. this means any user on the file system can also access those files unless special steps are taken to prevent it. for example, upas becomes user none to process files through /mail/queue no matter who upas starts out running as. the default listener runs as none and scans the service directory. any user on the file system (including none) must be trusted with any file none can access. there's a basic conflict here that has no current solution except "run everything that requires file privacy on separate file systems."

regular users honor finer grained file permissions, but cannot be masked from the special # file system. there is a basic conflict here that has no solution at all. any regular user must be trusted with proc, binding, unbinding, this is why user none exists in the first place.

the disconnect here is between file and process permissions. they are completely different things. we have fine grained file permissions but auth is all or nothing.

sl

next prev parent reply	other threads:[~2021-01-22  0:08 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-19 20:16 Stanley Lieber
2021-01-19 20:36 ` hiro
2021-01-19 20:51 ` Silas McCroskey
2021-01-19 20:57   ` Silas McCroskey
2021-01-19 21:35     ` Stanley Lieber
2021-01-19 21:54       ` hiro
2021-01-19 21:58         ` Anthony Martin
2021-01-21 16:22           ` ori
2021-01-21 17:05             ` sirjofri
2021-01-21 17:36               ` Stanley Lieber
2021-01-21 22:01                 ` hiro
2021-01-21 22:15                   ` Stanley Lieber
2021-01-21 22:51                     ` hiro
2021-01-21 22:55                       ` hiro
2021-01-21 23:26                         ` Silas McCroskey
2021-01-21 23:55                           ` Stanley Lieber
2021-01-22  0:13                             ` Silas McCroskey
2021-01-23 15:08                               ` cinap_lenrek
2021-01-22  0:24                             ` ori
2021-01-22  0:53                               ` Stanley Lieber
2021-01-22  9:53                                 ` hiro
2021-01-22  0:10                           ` Anthony Martin
2021-01-21 23:44                         ` Stanley Lieber [this message]
2021-01-22  0:00                           ` Silas McCroskey
2021-01-22  9:14                           ` hiro
2021-01-22 14:51                             ` Stanley Lieber
2021-01-22 15:01                               ` hiro
2021-01-22 15:39                                 ` Stanley Lieber
2021-01-22  9:41                           ` hiro
2021-01-21 23:00                       ` Stanley Lieber
2021-01-21 23:08                         ` Stanley Lieber
2021-01-19 23:04         ` Silas McCroskey
2021-01-20  1:12           ` hiro
2021-01-20  1:50             ` Stanley Lieber
2021-01-19 21:07   ` Stanley Lieber

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=A3D46C22-70B4-4CA3-8D5E-9496A0DB9DB4@stanleylieber.com \
    --to=sl@stanleylieber.com \
    --cc=9front@9front.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).