[tahoe-dev] Tahoe-LAFS is widely misunderstood
Scott Dial
scott+tahoe-dev at scottdial.com
Wed Feb 2 20:26:15 PST 2011
On 2/2/2011 2:10 PM, Brian Warner wrote:
> On 2/1/11 5:36 PM, Greg Troxel wrote:
>> Removal of CLI and WUI, and using only FUSE. This is the aspeect I'm
>> most in favor of.
>
> My problem with FUSE as the primary entry point is that it loses the
> whole least-authority model. The POSIX filesystem APIs don't expose
> things like retrieving a dircap for the subdirectory that you want to
> share with a friend, so the easiest thing to do is to share your whole
> rootcap with somebody, the equivalent of sharing passwords from the
> bad-old-days.
Why can't you use POSIX extended attributes for this feature?
% mount-pubgrid
% cd /home/scott/pubgrid/shared_with_brian
% attr -g writecap .
URI:DIR2:xxx...:yyy...
% attr -g readcap .
URI:DIR2-RO:xxx...:yyy...
% attr -g verifycap .
URI:DIR2-Verifier:xxx...:yyy...
FUSE has getxattr, and Tahoe-LAFS doesn't support storing extended
attributes, so the extended attribute namespace seems ripe for use for
this purpose (and perhaps other non-standard interface needs?).
> It also doesn't let you write programs that are restricted
> to interacting with just a subset of your filesystem, so all the usual
> Confused Deputy vulnerabilities are still around.
I'm not sure how you would do that currently that isn't completely
equivalent to mounting a dircap (and using traditional POSIX filesystem
security techniques) for that program.
--
Scott Dial
scott at scottdial.com
scodial at cs.indiana.edu
--
Scott Dial
scott at scottdial.com
scodial at cs.indiana.edu
More information about the tahoe-dev
mailing list