Re: [9fans] security

[Pietro Gagliardi <pietro10@mac.com>]

Read everything before you reply.

On Oct 28, 2007, at 1:22 PM, Gabriel Diaz wrote:

> hello
>
> I think having someone thinking the way Don and Tim do could help in
> general (actually it already helped isn't it?)
>
> If from those thoughts a bug or security hole is fixed, great, may be
> those thoughts sounds too paranoid, but i can't see why that's bad.
>
> Of course that do not means everybody should think the same way, I
> suppose Erik's point was to relax that paranoid, and return to the
> path issue :-?

Maybe Pike should write "On the Security of Plan 9" like Ritchie did  
with UNIX; maybe then everyone will stop being paranoid. I don't run  
a server, so I don't usually worry about this stuff :-)

>
> Change the path default value to (bin .)  looks like a painless change
> (improvement :-?) and it will not broke anything, isn't it?
>

And it's painless - anyone can do it; it's something with either /usr/ 
$user/lib/profile or rc.

> Discussing security on 9fans is funnier when related to plan9 more
> directly than when trying to address "unsolvable" problems like the
> user education :-)
>
> slds.
>
> gabi
>
>
>
>
> On 10/28/07, don bailey <don.bailey@gmail.com> wrote:
>>> ok, so can I suppose you know how to do that? if so, do you have a
>>> better idea for sandboxing? if not, maybe it should be good for  
>>> you to
>>> think in terms of what you or someone else already got working  
>>> instead
>>> of saying every little thing that comes on your mind.
>>>
>>
>> Sigh. Thanks for assuming I'm just making random comments.
>>
>> I guess my last exploit didn't teach anyone anything.
>> "OHMYGODZ A KERNEL 0DAY FOR PLAN 9??!?!!?!"
>>
>> You can't segment the Plan 9 kernel. You can only make it
>> harder to use.

I don't know what his last exploit was (I'm new here) but obviously  
he's speaking with a point.

>>
>> As I stated in my last e-mail, apparently noone here is
>> interested in listening, so I'm done trying to prove a
>> point for now. Next time it'll come in binary form.
>>

That's because no one outside the Windows world wants to acknowledge  
security. Apple's various ads could be considered naive as well.

>> Cheers,
>> D




On Oct 28, 2007, at 11:52 AM, don bailey wrote:
>
> Pietro Gagliardi wrote:
>> user nobody
>>
>
> Loss of functionality.
>

OK, I'm probably thinking of another system. What I meant was the  
group noworld, which programs like ftpfs use. Why not also the system?



On Oct 28, 2007, at 11:59 AM, Iruata Souza wrote:
> for example, could you argument (preferably with source code) why
> namespaces aren't safe sandboxing? if it is that easy as you say it
> is, I guess you already got ways of bypassing it.
>
> iru

Let's focus on that. That's a good question. Instead of reprimanding  
him on the statement before it, why not see if his question is possible?

I don't understand namespaces - I didn't understand it in XML and I  
don't understand them here. I don't know if I will. :-) I can't solve  
that problem, then. The most I know how to do with Plan 9 is  
programming graphics.



On Oct 28, 2007, at 2:11 AM, don bailey wrote:
>
>> you are stating truisms.  you might as well add "how about poisoning
>> your friends that you invited for dinner." at that point you're
>> betraying an implicit trust.
>>
>
> "Implicit trust" is a ridiculous thing to allow in a computer network
> or host.

Unfortunately, it happens every day. That's why they have/had root  
and user activity logging.

> So you're never going to 9fs a remote system and cd
> /n/somebox/some/path? :-)
>
> D
>
>

Same thing. How do you get third-party programs like i/mothra?



On Oct 27, 2007, at 1:19 PM, Tim Newsham wrote:
>> but assuming you have multiple users on your system, how do you
>> propose that a target be tricked into cd'ing into a trojaned  
>> directory
>> and attempt to execute the magic command.  what would this trojaned
>> command do?  without setuid (or a superuser), the options are more
>> constrained.
>
> How about forking off a server process that lets me execute  
> arbitrary commands as you?

Is that even possible?

>
> How about placing trojan processes in your person bin directory?
>

That's my point on path=(. /bin)

> How about subtly corrupting all of the writable data in your  
> filesystem?
>

Nice one. Especially since users have write access to most of the  
sublevels of /sys (how do you add fonts or macro sets to troff?  
change source code? improve documentation? add man pages?).

> How about setting up a spam bot on your machine?  Using your  
> machine as part of a distributed denial-of-service attack against  
> some other networked machines?

Especially since SMTP is not in Plan 9 at the moment, that is  
unlikely. But we should get ready.

>
> How about replacing your compiler with one that introduces errors  
> nondeterministically?  Changing your acme to occasionally not save  
> your data?
>

Easy source code change that could go unnoticed.

> If you sit down and think of it for a little bit you'll notice this  
> is just the tip of the iceburg.  There are lots of irritating  
> things that can happen even without setuid or a super user.
>
>> - erik
>
> Tim Newsham
> http://www.thenewsh.com/~newsham/

Good point. Let's look at all of the above as well.

IN CONCLUSION
I'm not reprimanding anyone. I'm saying we should reevaluate our  
stance on this and try to improve security instead of arguing about it.