From mboxrd@z Thu Jan  1 00:00:00 1970
Date: Wed, 18 Oct 1995 11:57:54 -0400
From: Steve Kotsopoulos steve@ecf.toronto.edu
Subject: security - things to be aware of
Topicbox-Message-UUID: 2e118448-eac8-11e9-9e20-41e7f4b1d025
Message-ID: <19951018155754.Y3REURIZ3FIhbvdfx0cgMkCEZyWGL5dzO6TBq6mfztI@z>

If someone sets up their plan9 system according to the manuals, anyone on
the internet can telnet/rlogin in as 'none' without a password and steal
all the source code and binaries - saving the price of the CDROM.

The installation notes for the old release said to 'chmod 770 /sys/src'
(to protect the source) but that is not mentioned in the new docs.
Any site allowing anonymous telnet/rlogin should probably chmod /sys/src,
I'm not sure what the lawyers and publisher would say if you don't.

To disable this anonymous access, use the undocumented '-N' option
to aux/telnetd and aux/ftp, which disallows logins as 'none'.

Since aux/rlogin execs aux/telnetd without the '-N' option, the only
protection may be to patch the source, or remove /bin/service/tcp513

Finally, ip/tftpd grants access to any world-readable file.
The main concern here is that people using u9fs as their file server
probably have an /etc/passwd file from their Unix system accessible.
If so, make sure you don't have any encrypted passwords in it,
or someone could steal it and use 'crack' to break the passwords.