From mboxrd@z Thu Jan 1 00:00:00 1970 Mime-Version: 1.0 (Apple Message framework v752.3) In-Reply-To: <2cc6e509319590eee5371dc0def82e1a@9netics.com> References: <2cc6e509319590eee5371dc0def82e1a@9netics.com> Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Pietro Gagliardi Subject: Re: [9fans] security Date: Sun, 28 Oct 2007 08:53:18 -0400 To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu> Topicbox-Message-UUID: dc8bc9b6-ead2-11e9-9d60-3106f5b1d025 user nobody On Oct 28, 2007, at 3:28 AM, Skip Tavakkolian wrote: >> There's nothing wrong with importing a remote file system. And >> you're assuming that you actually need credentials to mount the >> remote file system. It is ridiculous to implicitly trust, yes. >> The mitigation of the threat (in this case) is to disallow "." >> from your path. If you want to go deeper you can discuss auditing >> your kernel and the relevant user land source code. > > in that case, one should build a sandbox, climb into it and import the > fs. the potential damage is contained. maybe 9fs should have an > option to do that. > >> So there is a balance between the unknown and the known and >> that balance is what security is all about. You isolate the >> problems you can as best you can. Implicitly trusting is just >> as dangerous as not trusting anything. > > i didn't say implicitly trust everything, but if you decided to be > part of a group, you're implicitly trusting them. it would be as > if you asked every coworker to walk through a metal detector > before they could approach you. if you don't, then you're implicitly > trusting they wont harm you. >