From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FROM autolearn=ham autolearn_force=no
	version=3.4.4
Received: (qmail 13382 invoked from network); 22 Jan 2021 16:33:20 -0000
Received: from 1ess.inri.net (216.126.196.35)
  by inbox.vuxu.org with ESMTPUTF8; 22 Jan 2021 16:33:20 -0000
Received: from mail-ej1-f44.google.com ([209.85.218.44]) by 1ess; Fri Jan 22 11:07:33 -0500 2021
Received: by mail-ej1-f44.google.com with SMTP id g3so8387941ejb.6
        for <9front@9front.org>; Fri, 22 Jan 2021 08:07:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=eT4Oy+NDGJPV0azI6Ug/gNOmWKeTfl5ux2Cuq9UvtnM=;
        b=qIboOh9wesUd0qvf88eJajpBLPPPBqstXauREdLMCo1agSKUjkerFZ2vVKD0zPxw/3
         81JMf14vRmTA/735Ons93cAuJSeqksMd5smK5zkLZfe4L6ifBm/vSfycBOtZX6kXt0NK
         vhh3Km+1NqJqIMCFITfCGkD940OpssaAYp/SVNzaVSvxkQyv1osQ2mbA9LnyeD7N4RoE
         zRioJrUPiAaa+tFE3X33ckQkunrb7UEx19aSH7aGJ3U77T7kewamz8MTR8ykB7q+6NEj
         3qTp/VcnF+pGBGjc+bPUHEt9DxPGZLy3XHKmVrsvrQfeF4Htg5pZ575GxkRRo1U3wgqd
         mSvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=eT4Oy+NDGJPV0azI6Ug/gNOmWKeTfl5ux2Cuq9UvtnM=;
        b=bLJFvXQB5aTTJz/TK5H2Rp5SpUisDLg9xr7+W+dFQqUXdTgsG8GNIeHknZrsTW/rK7
         5tOoS737SEPq+zwjbFoUbwPtGQfuIqSF3t0qSQFFCAcTy90wAG+bH9HgA1NUUwmWkuEX
         B6HKS0SKEgPsK/Qcfk7UbY6+QXnMrKDDlBWxpFWCDieVrT2skuv500E14Rh5DJCFAZYZ
         9oUOf7D2lkIWTs70msa4akVcnaPiWiL8LciVoqgEtiQu2Q+d4tMxjnQop+pRI32/tTl4
         aRCGahI0ui+C4pgDHFIlM13VslvB9TDq2JMh4kNUWPYqrLPbpelLR2vlqDcIcM/I5Eid
         iAmQ==
X-Gm-Message-State: AOAM532ELra7DUwPv4x4mwoVdTzwmVYOOpjcpYlZYQDnPuc0mGTjdSuW
	Lsg68df/rPr7AljUcvAm5CCMHW9XdaEioJi2aEilXb6eOMY=
X-Google-Smtp-Source: ABdhPJzZwbXM3++ownDH4zcQapB2ucEyzg+1wzDOptIIi5CS4AZxQhcgzftCm4DMfVCvcd+OnN0qDIFZmqNjRshRHxs=
X-Received: by 2002:a17:906:33c5:: with SMTP id w5mr3546569eja.319.1611331643754;
 Fri, 22 Jan 2021 08:07:23 -0800 (PST)
MIME-Version: 1.0
Received: by 2002:a17:906:3f91:0:0:0:0 with HTTP; Fri, 22 Jan 2021 08:07:22
 -0800 (PST)
In-Reply-To: <51CA2B17-9324-4D5E-957D-7BFB7FDF7892@stanleylieber.com>
References: <E7B09631AD13EB03A8C4C8636D7AF4B0@5ess.inri.net>
 <711bec9a-10ff-485b-a3f6-1f8ece8e9344@sirjofri.de> <51CA2B17-9324-4D5E-957D-7BFB7FDF7892@stanleylieber.com>
From: hiro <23hiro@gmail.com>
Date: Fri, 22 Jan 2021 17:07:22 +0100
Message-ID: <CAFSF3XN=vqdLCL00TJddr3aNE+QaFkfpFubDH-WuGC+L2ZayBQ@mail.gmail.com>
To: 9front@9front.org
Content-Type: text/plain; charset="UTF-8"
List-ID: <9front.9front.org>
List-Help: <http://lists.9front.org>
X-Glyph: ➈
X-Bullshit: optimized proven event-scale dependency HTML rails base rails 
Subject: Re: [9front] Re: [9front] fqa 7.3.3.1 - Stop cwfs from allowing user
 none to attach without authentication
Reply-To: 9front@9front.org
Precedence: bulk

> they can read any world readable file on the system

sounds like it works as intended, thus the word world.

to reject world access without the nonone (which sounds like a hack)
on our default installed fileservers requires some configuration
changes as it clearly isn't the default on unix and never was.

unless there are cases where you cannot just revoke world access by
changing those permissions on the filesystem, i would say there is no
problem.

you can never change permissions inside the '#' devices, so there
might be multiple problems hidden there.

do i understand correctly that #p access is always a problem? it would
be good to make a list.

On 1/22/21, Stanley Lieber <sl@stanleylieber.com> wrote:
> On January 22, 2021 1:27:48 AM EST, sirjofri
> <sirjofri+ml-9front@sirjofri.de> wrote:
>>Hello sl,
>>
>>22.01.2021 03:39:18 sl@stanleylieber.com:
>>> echo nonone >>/srv/cwfs.cmd
>>
>>Is there some good reason why/when I should do this? How does none
>>authenticate?
>>
>>Does this just disable all anonymous access to the fileserver, like web
>>servers?
>>
>>sirjofri
>>
>
> my understanding is when you enable cwfs network listener user none is
> allowed to attach over the network by default, no authentication required.
> this means they can read any world readable file on the system.
>
> as far as i can tell nonone is undocumented, but it's in the source. you'd
> want to use nonone at boot time (in cpurc, for example).
>
> i had this in my own cpurc on my ancient cwfs system, iirc it was cinap who
> told me to do it. somehow i failed to add this to the fqa until now.
>
> sl
>