[9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication

[9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication

[sl]

fyi:

echo nonone >>/srv/cwfs.cmd

sl

Re: [9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication

[sirjofri]

Hello sl,

22.01.2021 03:39:18 sl@stanleylieber.com:
> echo nonone >>/srv/cwfs.cmd

Is there some good reason why/when I should do this? How does none 
authenticate?

Does this just disable all anonymous access to the fileserver, like web 
servers?

sirjofri

[9front] Re: [9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication

[Stanley Lieber]

On January 22, 2021 1:27:48 AM EST, sirjofri <sirjofri+ml-9front@sirjofri.de> wrote:
>Hello sl,
>
>22.01.2021 03:39:18 sl@stanleylieber.com:
>> echo nonone >>/srv/cwfs.cmd
>
>Is there some good reason why/when I should do this? How does none 
>authenticate?
>
>Does this just disable all anonymous access to the fileserver, like web 
>servers?
>
>sirjofri
>

my understanding is when you enable cwfs network listener user none is allowed to attach over the network by default, no authentication required. this means they can read any world readable file on the system.

as far as i can tell nonone is undocumented, but it's in the source. you'd want to use nonone at boot time (in cpurc, for example).

i had this in my own cpurc on my ancient cwfs system, iirc it was cinap who told me to do it. somehow i failed to add this to the fqa until now.

sl

Re: [9front] Re: [9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication

[hiro]

> they can read any world readable file on the system

sounds like it works as intended, thus the word world.

to reject world access without the nonone (which sounds like a hack)
on our default installed fileservers requires some configuration
changes as it clearly isn't the default on unix and never was.

unless there are cases where you cannot just revoke world access by
changing those permissions on the filesystem, i would say there is no
problem.

you can never change permissions inside the '#' devices, so there
might be multiple problems hidden there.

do i understand correctly that #p access is always a problem? it would
be good to make a list.

On 1/22/21, Stanley Lieber <sl@stanleylieber.com> wrote:
> On January 22, 2021 1:27:48 AM EST, sirjofri
> <sirjofri+ml-9front@sirjofri.de> wrote:
>>Hello sl,
>>
>>22.01.2021 03:39:18 sl@stanleylieber.com:
>>> echo nonone >>/srv/cwfs.cmd
>>
>>Is there some good reason why/when I should do this? How does none
>>authenticate?
>>
>>Does this just disable all anonymous access to the fileserver, like web
>>servers?
>>
>>sirjofri
>>
>
> my understanding is when you enable cwfs network listener user none is
> allowed to attach over the network by default, no authentication required.
> this means they can read any world readable file on the system.
>
> as far as i can tell nonone is undocumented, but it's in the source. you'd
> want to use nonone at boot time (in cpurc, for example).
>
> i had this in my own cpurc on my ancient cwfs system, iirc it was cinap who
> told me to do it. somehow i failed to add this to the fqa until now.
>
> sl
>

[9front] Re: [9front] Re: [9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication

[Stanley Lieber]

On January 22, 2021 11:07:22 AM EST, hiro <23hiro@gmail.com> wrote:
>> they can read any world readable file on the system
>
>sounds like it works as intended, thus the word world.
>
>to reject world access without the nonone (which sounds like a hack)
>on our default installed fileservers requires some configuration
>changes as it clearly isn't the default on unix and never was.
>
>unless there are cases where you cannot just revoke world access by
>changing those permissions on the filesystem, i would say there is no
>problem.
>
>you can never change permissions inside the '#' devices, so there
>might be multiple problems hidden there.
>
>do i understand correctly that #p access is always a problem? it would
>be good to make a list.
>
>On 1/22/21, Stanley Lieber <sl@stanleylieber.com> wrote:
>> On January 22, 2021 1:27:48 AM EST, sirjofri
>> <sirjofri+ml-9front@sirjofri.de> wrote:
>>>Hello sl,
>>>
>>>22.01.2021 03:39:18 sl@stanleylieber.com:
>>>> echo nonone >>/srv/cwfs.cmd
>>>
>>>Is there some good reason why/when I should do this? How does none
>>>authenticate?
>>>
>>>Does this just disable all anonymous access to the fileserver, like web
>>>servers?
>>>
>>>sirjofri
>>>
>>
>> my understanding is when you enable cwfs network listener user none is
>> allowed to attach over the network by default, no authentication required.
>> this means they can read any world readable file on the system.
>>
>> as far as i can tell nonone is undocumented, but it's in the source. you'd
>> want to use nonone at boot time (in cpurc, for example).
>>
>> i had this in my own cpurc on my ancient cwfs system, iirc it was cinap who
>> told me to do it. somehow i failed to add this to the fqa until now.
>>
>> sl
>>
>

the surprise gotcha is that by default anyone at all can attach to your fs without explicit permission. "world readable" is understood to mean anyone on the system. it wasn't expected that the world has access to the system.

sl

Re: [9front] Re: [9front] Re: [9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication

[hiro]

yep, it's very unusual.

out of their view perhaps less so: why did you give the address a
public ip address if you didn't want the world to access it?

but i agree of course we need a proper guideline now how to secure a
system at least a minimal extent...

otoh, instead of a guideline, perhaps it's better to change the
defaults. if all the /rc/bin/service* stuff starts by default, it has
to be guaranteed that it's safe by default, IMO.

On 1/22/21, Stanley Lieber <sl@stanleylieber.com> wrote:
> On January 22, 2021 11:07:22 AM EST, hiro <23hiro@gmail.com> wrote:
>>> they can read any world readable file on the system
>>
>>sounds like it works as intended, thus the word world.
>>
>>to reject world access without the nonone (which sounds like a hack)
>>on our default installed fileservers requires some configuration
>>changes as it clearly isn't the default on unix and never was.
>>
>>unless there are cases where you cannot just revoke world access by
>>changing those permissions on the filesystem, i would say there is no
>>problem.
>>
>>you can never change permissions inside the '#' devices, so there
>>might be multiple problems hidden there.
>>
>>do i understand correctly that #p access is always a problem? it would
>>be good to make a list.
>>
>>On 1/22/21, Stanley Lieber <sl@stanleylieber.com> wrote:
>>> On January 22, 2021 1:27:48 AM EST, sirjofri
>>> <sirjofri+ml-9front@sirjofri.de> wrote:
>>>>Hello sl,
>>>>
>>>>22.01.2021 03:39:18 sl@stanleylieber.com:
>>>>> echo nonone >>/srv/cwfs.cmd
>>>>
>>>>Is there some good reason why/when I should do this? How does none
>>>>authenticate?
>>>>
>>>>Does this just disable all anonymous access to the fileserver, like web
>>>>servers?
>>>>
>>>>sirjofri
>>>>
>>>
>>> my understanding is when you enable cwfs network listener user none is
>>> allowed to attach over the network by default, no authentication
>>> required.
>>> this means they can read any world readable file on the system.
>>>
>>> as far as i can tell nonone is undocumented, but it's in the source.
>>> you'd
>>> want to use nonone at boot time (in cpurc, for example).
>>>
>>> i had this in my own cpurc on my ancient cwfs system, iirc it was cinap
>>> who
>>> told me to do it. somehow i failed to add this to the fqa until now.
>>>
>>> sl
>>>
>>
>
> the surprise gotcha is that by default anyone at all can attach to your fs
> without explicit permission. "world readable" is understood to mean anyone
> on the system. it wasn't expected that the world has access to the system.
>
> sl
>

[9front] Re: [9front] Re: [9front] Re: [9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication

[Stanley Lieber]

On January 22, 2021 12:04:35 PM EST, hiro <23hiro@gmail.com> wrote:
>yep, it's very unusual.
>
>out of their view perhaps less so: why did you give the address a
>public ip address if you didn't want the world to access it?
>
>but i agree of course we need a proper guideline now how to secure a
>system at least a minimal extent...
>
>otoh, instead of a guideline, perhaps it's better to change the
>defaults. if all the /rc/bin/service* stuff starts by default, it has
>to be guaranteed that it's safe by default, IMO.
>
>On 1/22/21, Stanley Lieber <sl@stanleylieber.com> wrote:
>> On January 22, 2021 11:07:22 AM EST, hiro <23hiro@gmail.com> wrote:
>>>> they can read any world readable file on the system
>>>
>>>sounds like it works as intended, thus the word world.
>>>
>>>to reject world access without the nonone (which sounds like a hack)
>>>on our default installed fileservers requires some configuration
>>>changes as it clearly isn't the default on unix and never was.
>>>
>>>unless there are cases where you cannot just revoke world access by
>>>changing those permissions on the filesystem, i would say there is no
>>>problem.
>>>
>>>you can never change permissions inside the '#' devices, so there
>>>might be multiple problems hidden there.
>>>
>>>do i understand correctly that #p access is always a problem? it would
>>>be good to make a list.
>>>
>>>On 1/22/21, Stanley Lieber <sl@stanleylieber.com> wrote:
>>>> On January 22, 2021 1:27:48 AM EST, sirjofri
>>>> <sirjofri+ml-9front@sirjofri.de> wrote:
>>>>>Hello sl,
>>>>>
>>>>>22.01.2021 03:39:18 sl@stanleylieber.com:
>>>>>> echo nonone >>/srv/cwfs.cmd
>>>>>
>>>>>Is there some good reason why/when I should do this? How does none
>>>>>authenticate?
>>>>>
>>>>>Does this just disable all anonymous access to the fileserver, like web
>>>>>servers?
>>>>>
>>>>>sirjofri
>>>>>
>>>>
>>>> my understanding is when you enable cwfs network listener user none is
>>>> allowed to attach over the network by default, no authentication
>>>> required.
>>>> this means they can read any world readable file on the system.
>>>>
>>>> as far as i can tell nonone is undocumented, but it's in the source.
>>>> you'd
>>>> want to use nonone at boot time (in cpurc, for example).
>>>>
>>>> i had this in my own cpurc on my ancient cwfs system, iirc it was cinap
>>>> who
>>>> told me to do it. somehow i failed to add this to the fqa until now.
>>>>
>>>> sl
>>>>
>>>
>>
>> the surprise gotcha is that by default anyone at all can attach to your fs
>> without explicit permission. "world readable" is understood to mean anyone
>> on the system. it wasn't expected that the world has access to the system.
>>
>> sl
>>
>

yes. we did disable more listeners than labs had by default. i have no idea why nonone was never changed.

sl

Re: [9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication

[Özgür Kesim]

Thus spake sl@stanleylieber.com (sl@stanleylieber.com):

> fyi:
> 
> echo nonone >>/srv/cwfs.cmd
> 
> sl

I just installed the latest relase "DO NOT INSTALL" and
tried that, but for no avail:

cpu% echo nonone >>/srv/cwfs.cmd
cpu% cat /srv/cwfs.cmd
cmd_exec: unknown command: nonone

In fact, the command is not listed at all:

cpu% con -C /srv/cwfs.cmd
help
	allow [uid] -- disable permission checking
	cfs [file] -- set current filesystem
	chatty n -- set chattiness
	check [options]
	clean file [bno [addr]] -- block print/fix
	clri [file ...] -- purge files/dirs
	create path uid gid perm [lad] -- make a file/dir
	cwcmd subcommand -- cache/worm errata
	disallow -- (re)enable permission checking
	duallow uid -- duallow
	dump -- make dump backup to worm
	files -- report on files structure
	flag -- print set flags
	fstat path -- print info on a file/dir
	halt -- return to boot rom
	hangup chan -- clunk files
	help
	newuser username -- add user to /adm/users
	noattach -- toggle noattach flag
	printconf -- print configuration
	profile [01] -- fs profile
	remove [file ...] -- remove files/dirs
	stata -- overall stats
	stats [[-]flags ...] -- various stats
	statw -- cache/worm stats
	sync
	time command -- time another command
	users [file] -- read /adm/users
	version -- print time of mk and boot
	who [user ...] -- print attaches
nonone
cmd_exec: unknown command: nonone

Is there any other mechanism to switch of 'none' access
without booting into configure mode?

cheers,
oec

Re: [9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication

[ori]

The 'nonone' command was removed because it doesn't
change the config permanently, leading to some really
stupid footguns.

7.3.3.1 has the correct instructions, in the text
below the meme:

	bootargs is (tcp, local!device)
	    [local!/dev/sdXX/fscache] local!/dev/sdXX/fscache -c
	config: noauth
	auth is now disabled
	config: noauth
	auth is now enabled
	config: end

Note that adding '-c' to the end fo the bootargs is
how you get into config mode.

Quoth Özgür Kesim <oec-9front@kesim.org>:
> Thus spake sl@stanleylieber.com (sl@stanleylieber.com):
> 
> > fyi:
> > 
> > echo nonone >>/srv/cwfs.cmd
> > 
> > sl
> 
> I just installed the latest relase "DO NOT INSTALL" and
> tried that, but for no avail:
> 
> cpu% echo nonone >>/srv/cwfs.cmd
> cpu% cat /srv/cwfs.cmd
> cmd_exec: unknown command: nonone
> 
> In fact, the command is not listed at all:
> 
> cpu% con -C /srv/cwfs.cmd
> help
> 	allow [uid] -- disable permission checking
> 	cfs [file] -- set current filesystem
> 	chatty n -- set chattiness
> 	check [options]
> 	clean file [bno [addr]] -- block print/fix
> 	clri [file ...] -- purge files/dirs
> 	create path uid gid perm [lad] -- make a file/dir
> 	cwcmd subcommand -- cache/worm errata
> 	disallow -- (re)enable permission checking
> 	duallow uid -- duallow
> 	dump -- make dump backup to worm
> 	files -- report on files structure
> 	flag -- print set flags
> 	fstat path -- print info on a file/dir
> 	halt -- return to boot rom
> 	hangup chan -- clunk files
> 	help
> 	newuser username -- add user to /adm/users
> 	noattach -- toggle noattach flag
> 	printconf -- print configuration
> 	profile [01] -- fs profile
> 	remove [file ...] -- remove files/dirs
> 	stata -- overall stats
> 	stats [[-]flags ...] -- various stats
> 	statw -- cache/worm stats
> 	sync
> 	time command -- time another command
> 	users [file] -- read /adm/users
> 	version -- print time of mk and boot
> 	who [user ...] -- print attaches
> nonone
> cmd_exec: unknown command: nonone
> 
> Is there any other mechanism to switch of 'none' access
> without booting into configure mode?
> 
> cheers,
> oec

Re: [9front] fqa 7.3.3.1 - Stop cwfs from allowing user none to attach without authentication

[Özgür Kesim]

Thanks for the quick reply. In the meantime I found
another thread on this topic containing that same
explanation.

Problem fixed.  Even `netaudit` looks happy.

cheers,
oec

PS:
Your pointer to 7.3.3.1 is correct, but you quoted the
snippet from 7.3.3 instead.

The snippet should read:
  bootargs is (tcp, local!device)
      [local!/dev/sdXX/fscache] local!/dev/sdXX/fscache -c
  config: nonone
  none disabled
  config: end

(Adding this here so that future generations of archive
readers in search for answers find the correct snippet.)

Thus spake ori@eigenstate.org (ori@eigenstate.org):

> 
> The 'nonone' command was removed because it doesn't
> change the config permanently, leading to some really
> stupid footguns.
> 
> 7.3.3.1 has the correct instructions, in the text
> below the meme:
> 
> 	bootargs is (tcp, local!device)
> 	    [local!/dev/sdXX/fscache] local!/dev/sdXX/fscache -c
> 	config: noauth
> 	auth is now disabled
> 	config: noauth
> 	auth is now enabled
> 	config: end
> 
> Note that adding '-c' to the end fo the bootargs is
> how you get into config mode.
> 
> Quoth Özgür Kesim <oec-9front@kesim.org>:
> > Thus spake sl@stanleylieber.com (sl@stanleylieber.com):
> > 
> > > fyi:
> > > 
> > > echo nonone >>/srv/cwfs.cmd
> > > 
> > > sl
> > 
> > I just installed the latest relase "DO NOT INSTALL" and
> > tried that, but for no avail:
> > 
> > cpu% echo nonone >>/srv/cwfs.cmd
> > cpu% cat /srv/cwfs.cmd
> > cmd_exec: unknown command: nonone
> > 
> > In fact, the command is not listed at all:
> > 
> > cpu% con -C /srv/cwfs.cmd
> > help
> > 	allow [uid] -- disable permission checking
> > 	cfs [file] -- set current filesystem
> > 	chatty n -- set chattiness
> > 	check [options]
> > 	clean file [bno [addr]] -- block print/fix
> > 	clri [file ...] -- purge files/dirs
> > 	create path uid gid perm [lad] -- make a file/dir
> > 	cwcmd subcommand -- cache/worm errata
> > 	disallow -- (re)enable permission checking
> > 	duallow uid -- duallow
> > 	dump -- make dump backup to worm
> > 	files -- report on files structure
> > 	flag -- print set flags
> > 	fstat path -- print info on a file/dir
> > 	halt -- return to boot rom
> > 	hangup chan -- clunk files
> > 	help
> > 	newuser username -- add user to /adm/users
> > 	noattach -- toggle noattach flag
> > 	printconf -- print configuration
> > 	profile [01] -- fs profile
> > 	remove [file ...] -- remove files/dirs
> > 	stata -- overall stats
> > 	stats [[-]flags ...] -- various stats
> > 	statw -- cache/worm stats
> > 	sync
> > 	time command -- time another command
> > 	users [file] -- read /adm/users
> > 	version -- print time of mk and boot
> > 	who [user ...] -- print attaches
> > nonone
> > cmd_exec: unknown command: nonone
> > 
> > Is there any other mechanism to switch of 'none' access
> > without booting into configure mode?
> > 
> > cheers,
> > oec
>