From owner-freebsd-hackers@freebsd.org Tue Mar 13 22:34:06 2018 Return-Path: Delivered-To: freebsd-hackers@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4070AF567D1 for ; Tue, 13 Mar 2018 22:34:06 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from mail.bitblocks.com (ns1.bitblocks.com [173.228.5.8]) by mx1.freebsd.org (Postfix) with ESMTP id D08CE79CF8 for ; Tue, 13 Mar 2018 22:34:05 +0000 (UTC) (envelope-from bakul@bitblocks.com) Received: from bitblocks.com (localhost [127.0.0.1]) by mail.bitblocks.com (Postfix) with ESMTP id 2929E156E812; Tue, 13 Mar 2018 15:23:28 -0700 (PDT) From: Bakul Shah To: Warner Losh cc: Kristoffer Eriksson , Theron , "freebsd-hackers@freebsd.org" Subject: Re: GSoC Idea: per-process filesystem namespaces for FreeBSD In-reply-to: Your message of "Tue, 13 Mar 2018 15:43:08 -0600." References: <201803132055.aa28780@berenice.pkmab.se> Comments: In-reply-to Warner Losh message dated "Tue, 13 Mar 2018 15:43:08 -0600." MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <58342.1520979807.1@bitblocks.com> Content-Transfer-Encoding: quoted-printable Date: Tue, 13 Mar 2018 15:23:27 -0700 Message-Id: <20180313222344.2929E156E812@mail.bitblocks.com> X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Mar 2018 22:34:06 -0000 On Tue, 13 Mar 2018 15:43:08 -0600 Warner Losh wrote: Warner Losh writes: > On Tue, Mar 13, 2018 at 1:55 PM, Kristoffer Eriksson wrot= e: > = > > > > On 13 Mar 2018 12:53:18, Theron wrote: > > > For those unfamiliar with Plan9, here is a rough explanation of the > > > namespace feature: unlike in Unix, where all processes share the sam= e > > > virtual filesystem, each process instead has its own view of the > > > filesystem according to what has been mounted ... > > > > What if I mount a new /etc with a passwd file where root has no > > password, and then run "su"? > > > > (How does Plan9 handle that?) > > > = > Plan9 handles that by having a daemon that does user authentication. It'= s > actually more complicated than that, but the machine owner has control o= ver > who can do what. For this to work in FreeBSD, either we'd need to disall= ow > the 'file' type for passwd, or we'd have to do something sensible with > setuid programs. Well, maybe not 'or' but 'and' since the security of > setuid programs depends on the security of the filesystem.... Plan 9 > doesn't have these complications, so it can offer a user malleable > filesystem without security risk. Plan9 has no root (superuser) or setuid. You can mangle anything in your namespace but it affects only *your* own process and its future descendents. The following paper on Plan9 authentication in Linux may be worth reading: https://static.googleusercontent.com/media/research.google.com/en//pub= s/archive/34433.pdf While I have wanted per-process namespace in BSD for a long time, I agree with Konstantin this is a non-trivial project. Even if the design was fully fleshed out, implementing it would likely take longer than 12 weeks.