devmnt always uses up->user for Tauth/Tattach no matter what an auth protocol would yield (/sys/src/9/port/devmnt.c:281). Stock 9P servers tolerate this and check Tattach.uname to match Tauth.uname but use t.cuid or t.suid as the true user identity (unless no auth required).
Anyway, simply trusting Tattach.uname is too naïve - at least for p9any. > It's true that the server must take account of the result of > authentication, but although that might not > mean identity, the results of authentication should be consistent with > the name presented as uname > in Tauth/Tattach. In the context of p9auth I think that means that the > cuid of AuthInfo should match.
