On Thu, 16 Apr 2009 21:25:06 EDT "Devon H. O'Dell" <devon.od...@gmail.com> wrote: > That said, I don't disagree. Perhaps Plan 9's environment hasn't been > assumed to contain malicious users. Which brings up the question: Can > Plan 9 be safely run in a potentially malicious environment? Based on > this argument, no, it cannot. Since I want to run Plan 9 in this sort > of environment (and thus move away from that assumption), I want to > address these problems, and I kind of feel like it's weird to be > essentially told, ``Don't do that.''
Why not give each user a virtual plan9? Not like vmware/qemu but more like FreeBSD's jail(8), "done more elegantly"[TM]! To deal with potentially malicious users you can virtualize resources, backed by limited/configurable real resources. The other thought that comes to mind is to consider something like class based queuing (from the networking world). That is, allow choice of different allocation/scheduling/resource use policies and allow further subdivision. Then you can give preferential treatment to known good guys. Other users can still experiment to their heart's content within the resources allowed them. My point being think of a consistent high level model that you like and then worry about implementation details.
