[tahoe-dev] Fwd: [cap-talk] Don't put capabilities in argv?

[zooko]

Folks:

Argh.  This is a significant issue for the Tahoe CLI.  I don't like  
it, because capabilities are really useful to use as the identifiers  
for things, and identifiers for things are really useful to use as  
command-line arguments for your commands, but Kevin Reid correctly  
points out that your command-line arguments are exposed to all other  
users on your unix system.

Argh.

I guess this means that the "aliases" in the tahoe CLI, which we were  
already supporting for convenience reasons now needs to become the  
only way to refer to capabilities in your command-line.

It also means that we need to add this security issue to the known  
issues file [1] and update the CLI.txt docs [2] to not encourage  
people to use caps on the command-line.

Argh.  Stupid unix.

Regards,

Zooko

[1] http://allmydata.org/trac/tahoe/browser/docs/known_issues.txt
[2] http://allmydata.org/trac/tahoe/browser/docs/CLI.txt


Begin forwarded message:

> From: Kevin Reid <kpreid at mac.com>
> Date: July 12, 2008 15:43:50 PM MDT
> To: "General discussions concerning capability systems." <cap- 
> talk at mail.eros-os.org>
> Subject: [cap-talk] Don't put capabilities in argv?
> Reply-To: "General discussions concerning capability systems." <cap- 
> talk at mail.eros-os.org>
>
> AFAIK, typical unix systems reveal command-line arguments of all
> processes to all users.
>
> This implies that (except on a machine where you don't use unix users
> for isolation) password capabilities should not be passed as
> arguments; also that using command-line tools with a password-cap file
> system such as MinorFs or Tahoe is unsafe.
>
> Has this been noticed before? Are there ways to eliminate the problem?
>
> -- 
> Kevin Reid                            <http://homepage.mac.com/ 
> kpreid/>
>
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk