code: fqa.9front.org

Download patch

ref: cce04aa6a0a914939a940521f512fde9cf9b0463
parent: 88815a391196691d071bb9e4586be49073e096d7
author: sl <sl@stanleylieber.com>
date: Mon Jan 25 13:30:50 EST 2021 

fqa.ms, fqa7.ms: add 7.3.3.1.1 - notes on user none


--- a/fqa.ms
+++ b/fqa.ms
@@ -973,6 +973,14 @@
 7.3.3 - Setting up a listener for network connections
 .ihtml a
 
+.ihtml a <a href="fqa7.html#7.3.3.1">
+7.3.3.1 - Stop cwfs from allowing user none to attach without authentication
+.ihtml a
+
+.ihtml a <a href="fqa7.html#7.3.3.1.1">
+7.3.3.1.1 - notes on user none
+.ihtml a
+
 .ihtml a <a href="fqa7.html#7.3.4">
 7.3.4 - Mounting a file system from userspace
 .ihtml a
--- a/fqa7.ms
+++ b/fqa7.ms
@@ -747,6 +747,84 @@
 echo nonone >>/srv/cwfs.cmd
 .P2
 
+.html - <a name="7.3.3.1.1" />
+.ihtml h3 <h3>
+.SH
+7.3.3.1.1 - notes on user none
+.R
+.ihtml h3
+
+.I /sys/src/9/port/chan.c:1321,1335
+
+.P1
+Date: Fri, 22 Jan 2021 15:44:05 -0800
+From: Anthony Martin <ality@pbrane.org>
+To: 9front@9front.org
+Subject: [9front] notes on user none
+Reply-To: 9front@9front.org
+
+I remembered investigating the restrictions on user none
+in the past so I went and dug out my notes. They're only
+applicable to fossil and cwfs, though, so someone else
+will have to go through the hjfs code to compare.
+
+The notes are attached below.
+
+Cheers,
+  Anthony
+
+# from /sys/doc/9.ms
+Finally, a special user called none has no password and is always
+allowed to connect; anyone may claim to be none. None has restricted
+permissions; for example, it is not allowed to examine dump files and
+can read only world-readable files.
+
+# from /sys/doc/auth.ms
+Factotum is the only process that needs to create capabilities, so all
+the network servers can run as untrusted users (e.g., Plan 9's none or
+Unix's nobody), which greatly reduces the harm done if a server is
+buggy and is compromised.
+
+
+# kernel
+- documented
+	- anyone can become none with none(8)
+- undocumented
+	- eve can change the owner of proc(3) files to none
+	- none cannot use proc(3) to view or modify the state of other processes
+	- none cannot create shr(3) files on 9front
+
+# cwfs(4) and fossil(4)
+- documented
+	- none cannot authenticate a connection
+		- auth(5) with uname "none" returns Rerror
+	- none can be chaperoned on authenticated connections
+		- attach(5) with afid NOFID sets uname to "none"
+	- none has minimal access permissions (i.e. "world" or "other")
+	- users in the "noworld" group are denied world access permissions
+- undocumented
+	- none cannot be a group leader
+		- wstat(5) is limited
+
+# fossil(4)
+- documented
+	- none cannot attach to an unauthenticated connection
+		- unless the -N flag is given to listen or srv
+	- users not in the "write" group cannot modify the file system
+		- unless the group doesn't exist
+- undocumented
+	- none cannot modify file status information
+		- wstat(5) returns Rerror
+
+# cwfs(4)
+- documented
+	- none *can* attach to an unauthenticated connection
+		- unless the nonone flag is set on 9front (undocumented)
+- undocumented
+	- none cannot attach to the dump file system
+		- attach(5) returns Rerror
+.P2
+
 .html - <a name="7.3.4" />
 .ihtml h3 <h3>
 .SH