Context Navigation

Changes between Version 2 and Version 5 of Ticket #1737

Timestamp:: 2015-04-12T22:44:36Z (10 years ago)
Author:: daira
Comment:

Legend:

: Unmodified
: Added
: Removed
: Modified

Ticket #1737
- Property Cc davidsarah removed
- Property Keywords control.furl added

Ticket #1737 – Description

-                      v2
+                      v5
+There's a little-used "control port" in the tahoe client, accessible
+through Foolscap by someone who can read
+{{{NODEDIR/private/control.furl}}} (which in practice means only the
+node admin). The original idea was to provide a Foolscap-based frontend
+with more features (or at least more security) than the HTTP-based
+frontend. But that never took off, and at this point, there are only two
+consumers:
+There's a little-used "control port" in the tahoe client, accessible through Foolscap by someone who can read {{{NODEDIR/private/control.furl}}} (which in practice means only the node admin). The original idea was to provide a Foolscap-based frontend with more features (or at least more security) than the HTTP-based frontend. But that never took off, and at this point, there are only two consumers:
 * automated performance tests in source:src/allmydata/test/check_speed.py
 …
 * {{{measure_peer_response_time()}}}
+David-Sarah argues that it provides excess authority, specifically due
+to the fact that the upload/download methods accept local filenames
+(like {{{remote_upload_from_file_to_uri()}}} which accepts a local disk
+filename and uploads it to the grid, returning the filecap, which could
+be used to upload e.g. {{{~/.tahoe/private/aliases.txt}}}. This makes it
+unsafe to share {{{control.furl}}} with anyone who is not supposed to
+get control of the user account running the node.
+Daira argues that it provides excess authority, specifically due to the fact that the upload/download methods accept local filenames
+(like {{{remote_upload_from_file_to_uri()}}} which accepts a local disk filename and uploads it to the grid, returning the filecap, which could be used to upload e.g. {{{~/.tahoe/private/aliases}}}. This makes it
+unsafe to share {{{control.furl}}} with anyone who is not supposed to get control of the user account running the node.
+David-Sarah would like to remove it for 1.10. To do that, we'd need to
+either give up the automated performance and memory-footprint tests, or
+find a way to rewrite them (which would probably mean adding new
+authorities into the HTTP-based webapi, at least for get_memory_usage()
+and measure_peer_response_time()).
+Daira would like to remove it. To do that, we'd need to either give up the automated performance and memory-footprint tests, or find a way to rewrite them (which would probably mean adding new authorities into the HTTP-based webapi, at least for get_memory_usage() and measure_peer_response_time()).
+We could also address the excess authority by changing the
+upload/download methods (maybe using empty tempfiles of given
+sizes, and *not* accepting a filename at all). That would probably let
+us preserve the automated tests without too many changes.
+We could also address the excess authority by changing the upload/download methods (maybe using empty tempfiles of given sizes, and *not* accepting a filename at all). That would probably let us preserve the automated tests without too many changes.