[tahoe-dev] User access

Brian Warner warner at lothar.com
Thu Sep 17 12:50:53 PDT 2009 

> I've just about got everything all figured out, but I'm wondering how
> other users on my system can use tahoe.

Great!

> How can I make tahoe "universally" usable (if there is such a thing).
> A step-by-step would be appreciated.

It depends upon what you're trying to do, and how much your users are
willing to rely upon you. The Tahoe client node is used to handle the
secret filecaps and get back the (secret) plaintext of the corresponding
files. So if Alice is using a node run by Bob, then Bob (by modifying
the node a little bit) gets to see all of Alice's files. If Alice isn't
comfortable with this, she needs to run her own client node. To do this,
she should go though the same "tahoe create-client" process as Bob did.

However, if Bob owns the computer that Alice is using, then Alice is
always going to be vulnerable to Bob's intrusion: even if she ran her
own copy of the client, Bob could use his root-powers to take over the
process and reveal her secrets. So there's not much point in asking her
to run a separate node. If this describes the relationship between you
and the other users on your system, then here's what I'd do:

 1: make sure that the "tahoe" executable is available to all users:
    use "python setup.py install" or similar to get it into /usr/bin/tahoe
 2: send a copy of your BASEDIR/node.url file to all of your users. This
    will probably be http://localhost:3567/ or 8123 or something similar.
 3: instruct your users to each do the following:
     mkdir ~/.tahoe
     mkdir ~/.tahoe/private
     chmod go-rwx ~/.tahoe
     paste that URL into ~/.tahoe/node.url
     tahoe create-alias tahoe
     tahoe ls   (should show an empty directory)

This will give each user their own stub .tahoe basedir, which contains
their private rootcaps and the shared webapi URL. All CLI commands that
they run will use your tahoe client node, but will store the rootcaps in
their own directory. The tahoe client node doesn't log the filecaps it
works on, so unless you modify the client, you won't normally be seeing
their private filecaps.

This works because the Tahoe CLI commands are all written to use the
webapi, via whatever URL is recorded in ~otheruser/.tahoe/node.url . The
Tahoe client node itself uses the other files in ~myuser/.tahoe/ , like
tahoe.cfg, and provides the webapi interface (writing the listening URL
to node.url). When Bob runs CLI commands *and* runs a client node,
they'll both use the same ~/.tahoe directory. When Alice is running the
CLI commands against Bob's client node, they'll use different
directories, but merely copying the node.url from ~bob/.tahoe to
~alice/.tahoe is enough to make it work.

Note that the convergence secret and the lease-management secrets are
stored in the node's basedir, not the CLI-user's basedir (since there is
no provision in the webapi to pass these secrets around). So, while
Alice will have her own rootcap, Bob will still trivially be able to
cancel her leases (i.e. delete her files) and mount partial-information
guessing attacks against her filecaps. But these vulnerabilities pale in
comparison to Bob's ability to see all of her filecaps by just adding
more logging code to his node.

hope that helps,
 -Brian

More information about the tahoe-dev mailing list