[tahoe-dev] [tahoe-lafs] #840: Allow all CLI commands to take arguments from stdin or a file, to avoid caps being visible to other users

tahoe-lafs trac at allmydata.org
Sun Nov 22 12:49:03 PST 2009 

#840: Allow all CLI commands to take arguments from stdin or a file, to avoid
caps being visible to other users
----------------------------------------------------------+-----------------
 Reporter:  davidsarah                                    |           Owner:           
     Type:  defect                                        |          Status:  new      
 Priority:  major                                         |       Milestone:  undecided
Component:  code-frontend-cli                             |         Version:  1.5.0    
 Keywords:  security confidentiality integrity usability  |   Launchpad_bug:           
----------------------------------------------------------+-----------------
 From code:docs/known_issues.txt :

 >=== command-line arguments are leaked to other local users ===

 >Remember that command-line arguments are visible to other users (through
 the {{{ps}}} command, or the windows Process Explorer tool), so if you are
 using a Tahoe-LAFS node on a shared host, other users on that host will be
 able to see (and copy) any caps that you pass as command-line arguments.
 This includes directory caps that you set up with the "{{{tahoe add-
 alias}}}" command.  Use "{{{tahoe create-alias}}}" for that purpose
 instead.

 >==== how to manage it ====

 >Bypass {{{add-alias}}} and edit the {{{NODEDIR/private/aliases}}} file
 directly, [...] By entering the dircap through the editor, the command-
 line arguments are bypassed, and other users will not be able to see them.
 [...]

 >Starting in Tahoe-LAFS v1.3.0, there is a "{{{tahoe create-alias}}}"
 command that does this for you.

 This workaround using aliases is ugly -- adding a persistent alias for an
 argument that might only be used once has poor usability, leaving around
 aliases may constitute a privacy issue, and firing up an editor is quite a
 heavyweight solution.

 Proposed feature: if a CLI command sees an argument of the form
 "{{{@filename}}}", then it substitutes the contents of that file into the
 command arguments in place of "{{{@filename}}}" (taking newlines as
 argument separators). "{{{@}}}" on its own does the same thing for
 standard input. If the file cannot be read then the command fails with no
 effect.

 (In other words, {{{@filename}}} works similarly to the Unix shell syntax
 {{{`cat filename`}}}, except that the latter wouldn't solve the problem
 because it passes the file contents via the command line.)

 The syntax {{{@filename}}} is chosen because it seems to be a semi-
 convention, at least in developer tools (e.g. MSVC++, javac, javadoc use
 it), and because {{{@}}} does not need to be quoted on either Unix or
 Windows.

-- 
Ticket URL: <http://allmydata.org/trac/tahoe/ticket/840>
tahoe-lafs <http://allmydata.org>
secure decentralized file storage grid

More information about the tahoe-dev mailing list