From mboxrd@z Thu Jan 1 00:00:00 1970 Mime-Version: 1.0 (Apple Message framework v752.3) In-Reply-To: <4723B9AD.8090308@gmail.com> References: <4723B9AD.8090308@gmail.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Pietro Gagliardi Subject: Re: [9fans] security Date: Sat, 27 Oct 2007 18:25:36 -0400 To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu> Topicbox-Message-UUID: dbd27240-ead2-11e9-9d60-3106f5b1d025 OS X has root: $ ls -ld /var lrwxr-xr-x 1 root admin 11 Aug 11 2006 /var -> private/var $ ls -l /private total 0 drwxr-xr-x 107 root wheel 3638 Oct 2 21:25 etc drwxr-xr-x 3 root wheel 102 Aug 1 2006 tftpboot drwxrwxrwt 22 root wheel 748 Oct 27 18:23 tmp drwxrwxrwt 4 root wheel 136 Mar 12 2007 tmp 2 drwxr-xr-x 26 root wheel 884 Oct 27 10:03 var $ # run from Tiger Oh and here's nice security: boot a Mac and hit Command+S while booting (before the Apple logo/Happy Mac) and you're root. No password required. On Oct 27, 2007, at 6:20 PM, don bailey wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > >> clearly, you're not getting an account on my machine. >> > > This goes back to the typical MacOSX argument: > "If I have MacOSX laptop and you compromise my local > account, it doesn't matter because you haven't > gotten root, right?" > > Of course, this isn't true because all your data is owned > by your user credentials. If someone compromises a single > user laptop they don't need root or any other super user > semantic. Being you compromises all the information > necessary to hurt you: banking information, SSN, credit > card info, e-mail logins, locally stored files, etc... > > I'd say that's enough of a problem. Even Plan 9's well > designed authentication domains don't properly mitigate > the issue of the local account being compromised. > > D > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFHI7mryWX0NBMJYAcRAmSjAKCWXuQeAO7mTXKlwChpRYb1BDV0eQCeJn2t > 1gCP7bJWlAofxI4Ta4oZeig= > =f3q/ > -----END PGP SIGNATURE-----