using VM/386 to multiplex window sessions is rather like virtualising the Unix system call layer to allow several IP stacks. it seems just a little heavy-handed. there is actually little difference between multi-user cpu servers and single-user terminals as far as the plan 9 kernel is concerned: mainly configuration and a few small policy differences.
if each user is given a rio session, much as martin suggested, and it has its own name space (as with newns) it will use its own attach to the file server, and thus run with the desired file permissions. /dev/user can be set using cap(3). the host owner (/dev/hostowner) owns all devices, including cap(3), which works well in existing use `as intended', but for non-overlapping shared use of a single-user terminal would probably require something to set hostowner when it switches to a given user's session. the draw devices would all change ownership too, but if that makes things too open (because the current user can see all window contents), then it probably isn't hard to record ownership on draw directories (as for /net/tcp directories and a few other devices). the more serious problem is that there isn't a good paint program.
