From mboxrd@z Thu Jan  1 00:00:00 1970
Message-ID: <5d375e920710270548g3fc0fa48t68782f1514703f0@mail.gmail.com>
Date: Sat, 27 Oct 2007 14:48:24 +0200
From: Uriel <uriel99@gmail.com>
To: "Fans of the OS Plan 9 from Bell Labs" <9fans@cse.psu.edu>
Subject: Re: [9fans] security
In-Reply-To: <89A9D7D0-0B4A-4CBB-871E-77884D11A241@ar.aichi-u.ac.jp>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <61172513-6773-4AA3-8EF0-182BD91D948B@mac.com>
	<b3ca3f8790ad8bba7b3f091b955a3b86@quanstro.net>
	<df49a7370710270203j6c9b9d8agd2eac18635917e08@mail.gmail.com>
	<89A9D7D0-0B4A-4CBB-871E-77884D11A241@ar.aichi-u.ac.jp>
Topicbox-Message-UUID: db6371f6-ead2-11e9-9d60-3106f5b1d025

The main reason I like to change path to (/bin .) is that when in a
remote directory (like /n/sources) having (. /bin) as path makes
running scripts *SLOW*.

And I really can't think of any reason why having . would be a good
idea, because after all if you call ls, 99.9% of the time you want
/bin/ls, and the remaining 0.1% it doesn't hurt to be explicit and run
./ls

But this has been discussed before, and 'the powers that be' didn't
agree, I only wish I could understand why, but that is probably my
fault.

uriel

On 10/27/07, arisawa@ar.aichi-u.ac.jp <arisawa@ar.aichi-u.ac.jp> wrote:
> Hello,
>
> Removing files is not worth doing.
> The victim will immediately find what happened and will recover his
> files
> and then will consider what made the trouble.
>
> I don't say (. /bin) is safe in untrusted environment.
> Someone might steal my private info using some trick.
>
> Security is tradeoff with convenience.
> I guess we (member of 9fans) are happy enough working in trusted
> environment.
>
> Kenji Arisawa
>
> On 2007/10/27, at 18:03, roger peppe wrote:
>
> >>> 1) rc: the value of $path is (. /bin). It is a classic case not to
> >>> have . as the first directory when searching for programs - it
> >>> allows
> >>> Trojan horses to form.
> >>
> >> if you're the only one using your system, how could this be a
> >> problem?
> >
> > to be fair, if i'd put a file in /n/sources/contrib/rog/ls:
> >
> > #!/bin/rc
> > rm -rf $home &
> > ls $* |* | grep -v ls
> >
> > then i'm sure there'd be one or two unhappy people around...
>
>