From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <8c5ea75666c269999c7e93e2c196bf19@collyer.net> To: 9fans@cse.psu.edu Subject: Re: [9fans] File server for NT From: Geoff Collyer In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Date: Fri, 16 May 2003 15:07:19 -0700 Topicbox-Message-UUID: aee279d0-eacb-11e9-9e20-41e7f4b1d025 Like rog, I've been running with path=(/bin .) for years, since I noticed attempts by rc to walk into DOS and remotely-served file systems when looking for commands. The things that make set-id programs found by "." in PATH on Unix so dangerous are the relatively immutable namespace of a given Unix system and the power that can be achieved via set-id execution. Since the namespace is essentially unchangeable, evildoers can accurately predict where files will be found when their trojan horse runs. Plan 9 offers less predictability, and one could drastically rearrange one's namespace when running a suspect program (though obviously this doesn't apply to trojan horses). For example, run ramfs, copy the binary into /tmp, unmount and unbind as much as possible, notably /, /bin and /srv, and run the program in /tmp. Since Plan 9 doesn't have set-id execution, the worst a trojan horse can do is run as the user who invokes it, which admittedly can be bad news for that user, but it does limit the potential damage considerably.