"Steven M. Bellovin" wrote: > That's more an artifact of Plan 9 than of upas -- upas on Unix did > support 'Pipe to'. But Plan 9 has no notion of setuid nor (as I > recall) of superuser, so it can't do that. And while there are > certainly security issues with delivery to programs (that's why > sendmail had to implement smrsh), not having write ability to per-user > files causes problems for programs like 'vacation'. One of the features of AFS which was intended specifically for mail delivery programs, was the notion of "insert-only" access rights which were distinct from the ability to read files or directories. It's a similar concept to using the sticky bit on temp directories. What it meant in practice was that each user had a mail delivery directory which permitted anonymous insert (and possibly lookup) but no other access. This hypothetically allowed the mail delivery program to run as nobody, but allowed anonymous email. If you wanted to prevent anonymous email, you would permit insertion only by authenticated users, and thus internet mail delivery would run as "somebody". Local mail delivery ran with the permissions of the user doing the sending, naturally. providing finer-grained access controls allows the use of finer, sharper, application tools. It's hard to build picture frames with a 5-pound sledge.
This archive was generated by hypermail 2b30 : Sat May 19 2001 - 18:41:38 PDT