Date: Tue, 13 Mar 2018 15:23:27 -0700 From: Bakul Shah <bakul@bitblocks.com> To: Warner Losh <imp@bsdimp.com> Cc: Kristoffer Eriksson <ske@pkmab.se>, Theron <theron.tarigo@gmail.com>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: GSoC Idea: per-process filesystem namespaces for FreeBSD Message-ID: <20180313222344.2929E156E812@mail.bitblocks.com> In-Reply-To: Your message of "Tue, 13 Mar 2018 15:43:08 -0600." <CANCZdfoU1B4228RpwfupvdVN9RPCCug4p283xmkNwW7t-M9CjA@mail.gmail.com> References: <d7621074-acb4-c5b6-1efd-dc55b51586b1@gmail.com> <201803132055.aa28780@berenice.pkmab.se> <CANCZdfoU1B4228RpwfupvdVN9RPCCug4p283xmkNwW7t-M9CjA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 13 Mar 2018 15:43:08 -0600 Warner Losh <imp@bsdimp.com> wrote:
Warner Losh writes:
> On Tue, Mar 13, 2018 at 1:55 PM, Kristoffer Eriksson <ske@pkmab.se> wrot=
e:
> =
> >
> > On 13 Mar 2018 12:53:18, Theron <theron.tarigo@gmail.com> wrote:
> > > For those unfamiliar with Plan9, here is a rough explanation of the
> > > namespace feature: unlike in Unix, where all processes share the sam=
e
> > > virtual filesystem, each process instead has its own view of the
> > > filesystem according to what has been mounted ...
> >
> > What if I mount a new /etc with a passwd file where root has no
> > password, and then run "su"?
> >
> > (How does Plan9 handle that?)
> >
> =
> Plan9 handles that by having a daemon that does user authentication. It'=
s
> actually more complicated than that, but the machine owner has control o=
ver
> who can do what. For this to work in FreeBSD, either we'd need to disall=
ow
> the 'file' type for passwd, or we'd have to do something sensible with
> setuid programs. Well, maybe not 'or' but 'and' since the security of
> setuid programs depends on the security of the filesystem.... Plan 9
> doesn't have these complications, so it can offer a user malleable
> filesystem without security risk.
Plan9 has no root (superuser) or setuid. You can mangle
anything in your namespace but it affects only *your* own
process and its future descendents.
The following paper on Plan9 authentication in Linux may be
worth reading:
https://static.googleusercontent.com/media/research.google.com/en//pub=
s/archive/34433.pdf
While I have wanted per-process namespace in BSD for a long
time, I agree with Konstantin this is a non-trivial project.
Even if the design was fully fleshed out, implementing it
would likely take longer than 12 weeks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20180313222344.2929E156E812>