Follow

@sirjofri the 9front wiki is behind the invite system because wikis are spamtraps and/or 4chan shitposting targets and I lack the free cycles to properly tend that garden. I apologize if this comes across as gatekeeping; it's just the best I could do with the resources I have.

I'd love nothing more than someone else making a better tool.

@khm of course, that's why I think it's good to keep editing to actual plan9 users (from a plan9 environment). (Also that's why I'd like to have an authenticated user access)

@sirjofri one problem we've run into in the past is that it's difficult to expose a 9p filesystem (via normal auth procedures) without ALSO giving the calling user unfettered cpu access to the fileserver.

In theory this isn't a problem, but in practice the stakes for failure and/or unforeseen security problems are high.

sl and I ran into this many years ago. Things are probably better now with rcpu, dp9ik and mycroft, so if someone wanted to re-investigate that it would open new doors.

@khm I don't think this is a huge problem if we restrict auth access to community members only and make clear that the system is not meant for anything else besides a wiki. I trust community members and we can figure security things out then.

Also can't we just export the wiki filesystem and listen on auth and http? Isn't cpu another tcp service (aka listen)?

@khm hm, forget what I said. We need cpu access for admins to configure things (restrict by group?)

@khm you can capture the cpu access in the service/tcp17019 file and check user group membership. Needs more testing, but on my terminal (without real auth server) this seems to work

@sirjofri when I investigated it, I looked for a way to specify paths that were accessible per-user via the auth server. Dead end -- but I never looked at what you're looking at, doing the gating on the host itself. Should work fine!

@khm In a plan 9 context I expected it to be on a per machine basis, configurable on the file server, which is possible through the /cfg service files. In a modern context it would also be nice to have this in a sandboxed-like environment, like spawngrid does. Maybe you can build something with the /lib/namespace file?

@khm in my new blog post you can see a sample service/tcp file, btw

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko