From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Russ Cox" To: 9fans@cse.psu.edu Subject: Re: [9fans] Plan 9 (in)security MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Message-Id: <20010527005209.5BFFE199EC@mail.cse.psu.edu> Date: Sat, 26 May 2001 20:52:06 -0400 Topicbox-Message-UUID: a92e930e-eac9-11e9-9e20-41e7f4b1d025 > I just wanted to bring attention to the fact that many if not all > of the networkable 9p servers seem to be horrendously insecure, > and since some of them will allow anonymous attach, any Plan 9 > server with exported filesystems is vulnerable to a sufficiently > clever attacker. I think you exaggerate here. Most of the 9P servers do no authentication whatsoever, but those aren't listening to the network. Exportfs listens to the network, and it requires authentication. Most of the file servers don't matter from a security point of view, any more than cat matters. Wiki also listens to the network, but that was written with the 9P library, which is more demanding of its input. Further, the specific bug you mentioned (conv?2?) is corrected in the interface for the new 9P protocol. Russ