if someone (not paying too much attention, or malicious)
appends a !uid=xyz attribute to a hostid that already
has an uid=* attribute, then speaksfor("xyz", hostid) will
return true.

Reference: /n/sources/patch/applied/notuser
Date: Tue Nov 24 22:58:49 CET 2009
Signed-off-by: rtb@coraid.com

--- /sys/src/cmd/auth/authsrv.c	Tue Nov 24 22:58:07 2009
+++ /sys/src/cmd/auth/authsrv.c	Tue Nov 24 22:58:05 2009
@@ -809,8 +809,10 @@
 	snprint(notuser, sizeof notuser, "!%s", user);
 	for(ntp = tp; ntp; ntp = ntp->entry)
 		if(strcmp(ntp->attr, "uid") == 0){
-			if(strcmp(ntp->val, notuser) == 0)
+			if(strcmp(ntp->val, notuser) == 0){
+				ok = 0;
 				break;
+			}
 			if(*ntp->val == '*' || strcmp(ntp->val, user) == 0)
 				ok = 1;
 		}