Security

NOTES ON PUBLIC GRID SECURITY

This public grid is implemented with a simple security model:

However, please remember that any binaries and source code found in the public fileshares are entirely use-at-your-own-risk and any grid user can modify the files uploaded by other grid users.

This grid is implemented as 9p filesystem export/imports, which means you are connecting to remote filesystems and you do not share any access to your machine. There are a few points you should be aware of if you choose to make use of the shared grid plumber.

If you mount the grid plumber and open mothra, page, or an editor, other users may transmit messages with the plumber directing to particular urls, or causing files uploaded to the ramdisk to be displayed. Again, they are not running code on your system - they are simply transmitting a text message containing a url or file location, and if you have applications open reading from that plumb port, that url or file will be displayed. Because mothra does not execute javascript, even a malicious website should not be able to cause code execution. The only risks are: being directed to a url you do not wish to visit, or being directed to a url which contains an exploit against an unknown bug in mothra. Similarly with page and acme: someone could upload an unpleasant file to the shared ramdisk, plumb it to other clients, causing unwanted content to be displayed, or exploiting the editor or page via a bug. Because page runs an old version of ghostscript, it is possible that a malicious pdf/ps file crafted against Plan 9 could have negative consequences.

If you see any attempted abuse, such as plumbing links to malicious websites or uploading malicious files to the ramdisk and plumbing them, please close possibly affected applications and notify the gridhelp channel.