And yet it is multiplayer!
In OS Inferno work with users is very unusual. First, when
In connection with all this, a logical question arises: is Inferno a multi-user system or not?
Yes, it is still worth remembering with what simplicity new users start up in Inferno:
This begs a logical answer - nooo, to hell with such multiuse! :-) But in fact, in Inferno, and with multiuse, and security is all right!
First you need to realize that Inferno is not a system that will deal with meaningless nonsense. If the user has physical access to all the system files (for example, he installed Inferno in his home directory), then creating a bunch of users with different rights to access these files is a direct path to schizophrenia, not security. If Inferno is installed, for example, in
')
In this case, usually a new user is created in the host OS, for example, “inferno”, and root, when installing the system in / usr / inferno, sets read / write permissions for the Inferno key files only for the user “inferno”. Now, when a regular user, for example, powerman, launches
The attentive reader is simply obliged to snort indignantly in this place, and ask: what prevents the powerman user, after running emu, from starting the same
The fact is that Inferno will assume that the current user is “inferno” and check access rights based on this (i.e. he will lose access to the powerman files). And when the verification of rights in Inferno is completed successfully (for example, to access files belonging to the user “inferno”), and emu tries to access these files, then the host OS will check the permissions. Which all these virtual tricks are inside the emu process (run by the powerman user) before the light bulb, and which still believes that the current user is the powerman. And access to user files will not give inferno! As a result, the user becomes a completely powerless creature. :)
As for logins and passwords, they will be immediately required as soon as you want to connect any network resource. It immediately turns out that there must be an authentication server (authentication server aka CA aka $ SIGNER) on the Inferno network. And for you on this server, the administrator must create an account, with any login and password (they do not have to match the username that you use inside Inferno). To connect to a network resource, you first need to contact this identification server, log in to it under that login / password under which you know it, and get a certificate (like private / public ssh keys). You save this certificate in a file in your home directory, and use it when connecting network resources. (As long as you do not delete this file, you will not need to contact the identification server; this is usually a one-time operation.)
In this case, the network resources that you connect will identify you by the name under which you are registered on the identification server - it is registered in your certificate.
By the way, just for the safe launch of the identification server, it is logical to use the
emu starts, you get a command prompt without having to enter a username and password. In this case, your username is set the same as in the main system (host OS). Secondly, you can run, for example, wm/wm wm/login , enter the name of another user (and you will not even be asked for the password), and continue working as this user. Similarly, you can use the runas sh command runas sh to not launch the GUI.In connection with all this, a logical question arises: is Inferno a multi-user system or not?
Yes, it is still worth remembering with what simplicity new users start up in Inferno:
mkdir /usr/This begs a logical answer - nooo, to hell with such multiuse! :-) But in fact, in Inferno, and with multiuse, and security is all right!
First you need to realize that Inferno is not a system that will deal with meaningless nonsense. If the user has physical access to all the system files (for example, he installed Inferno in his home directory), then creating a bunch of users with different rights to access these files is a direct path to schizophrenia, not security. If Inferno is installed, for example, in
/usr/inferno root, then it is quite another thing!')
In this case, usually a new user is created in the host OS, for example, “inferno”, and root, when installing the system in / usr / inferno, sets read / write permissions for the Inferno key files only for the user “inferno”. Now, when a regular user, for example, powerman, launches
/usr/inferno/Linux/386/bin/emu , he will be logged on to the system as a powerman user, with very limited rights. In fact, it will not even have a home directory if it is not created by root or is not given the right to write to the /usr/inferno/usr/ directory (which is not very safe) or the home directory is not automatically mounted when the user logs in from, for example the /home/powerman/inferno/ directory on the host OS (to which the powerman user has full access), or over the network.The attentive reader is simply obliged to snort indignantly in this place, and ask: what prevents the powerman user, after running emu, from starting the same
runas inferno sh and switching to the “inferno” account? The funny thing is that nothing prevents him from doing this. But his rights after this trick will be no more, but less !The fact is that Inferno will assume that the current user is “inferno” and check access rights based on this (i.e. he will lose access to the powerman files). And when the verification of rights in Inferno is completed successfully (for example, to access files belonging to the user “inferno”), and emu tries to access these files, then the host OS will check the permissions. Which all these virtual tricks are inside the emu process (run by the powerman user) before the light bulb, and which still believes that the current user is the powerman. And access to user files will not give inferno! As a result, the user becomes a completely powerless creature. :)
Passwords? I have them!
As for logins and passwords, they will be immediately required as soon as you want to connect any network resource. It immediately turns out that there must be an authentication server (authentication server aka CA aka $ SIGNER) on the Inferno network. And for you on this server, the administrator must create an account, with any login and password (they do not have to match the username that you use inside Inferno). To connect to a network resource, you first need to contact this identification server, log in to it under that login / password under which you know it, and get a certificate (like private / public ssh keys). You save this certificate in a file in your home directory, and use it when connecting network resources. (As long as you do not delete this file, you will not need to contact the identification server; this is usually a one-time operation.)
In this case, the network resources that you connect will identify you by the name under which you are registered on the identification server - it is registered in your certificate.
By the way, just for the safe launch of the identification server, it is logical to use the
emu launch from the host OS user inferno (for example, via su / sudo to the inferno user as root). Then it turns out that access to the security-critical information inside Inferno has only root access on the host OS (which, in any case, has it, let's be frank).Source: https://habr.com/ru/post/42829/
All Articles