[tahoe-dev] security alerts

zooko zooko at zooko.com
Mon Dec 17 11:32:37 PST 2007 

Folks:

There are two previously unannounced security issues in Tahoe  
v0.6.1.  I've updated the Security Page [1] on the wiki to describe  
them, and here is a copy of the two new ones:

-------
     * privilege escalation for directory servers

         In the v0.6.1 release of Tahoe, it was intended and  
documented that you could grant read authority, read/write authority,  
or no authority to any person. We overlooked the fact that the  
limitation on write authority does not apply to people who control  
the directory server on which your encrypted directory resides. If  
you grant read-authority to such a person, they automatically get  
read-write authority.

         The next version of Tahoe, v0.7.0, which will be released  
soon, fixes this issue by using more powerful cryptography. In Tahoe  
v0.7.0 you can grant read authority, read/write authority, or no  
authority to any person and they are unable to get more authority  
than you've granted them, even if they control some of the servers on  
which your encrypted files and directories reside.

     * temporary exposure to local attacker

         In the v0.6.1 release of Tahoe, there was a short window of  
opportunity in which a local user on your system could read secrets  
out of the ~/.tahoe directory after they were written into that  
directory but before their permissions were set to be not-world- 
readable. This would be prevented on unix-like systems if you set  
permissions on your home directory or on the .tahoe directory so that  
others could not read the contents of files within it. In the  
upcoming v0.7.0 release of Tahoe such secrets are kept in a  
subdirectory of the ~/.tahoe directory, named ~/.tahoe/private, which  
is set so that users other than its owner cannot read data from files  
within it.
-------

If anyone is using Tahoe v0.6.1 and has concerns about these issues,  
talk to us and we can give you further advice on how to deal with  
them.  My guess is that nobody is currently attempting to grant read- 
only-access to someone who controls a directory server, and that  
nobody is in danger of another user on their multi-user system  
sniffing out their Tahoe secrets, so these issues are probably not of  
pressing concern to our current users.  Nonetheless, I'm glad that  
they will be fixed in Tahoe v0.7.0 so that no-one will need to worry  
about these issues.

Regards,

Zooko

[1] http://allmydata.org/trac/tahoe/wiki/Security

More information about the tahoe-dev mailing list