It's true that the server must take account of the result of authentication, but although that might not mean identity, the results of authentication should be consistent with the name presented as uname in Tauth/Tattach. In the context of p9auth I think that means that the cuid of AuthInfo should match. That doesn't preclude the server from having a more subtle acquisition of authority, for instance by having an auth file that's kept open, allowing incremental authentication using another protocol.
On 10 October 2011 13:07, Yaroslav <yari...@gmail.com> wrote: > There is a security problem with p9auth in u9fs: it uses uname from > Tauth/Tattach as user's identity - ignoring the user id which has been > authenticated to the auth server. As uname is always set to up->user > in devmnt, this means that: >
