[tahoe-dev] Warning or error when running Tahoe as root
Nathan
nejucomo at gmail.com
Sat Aug 18 22:05:48 UTC 2012
On Sat, Aug 11, 2012 at 4:52 AM, Greg Troxel <gdt at ir.bbn.com> wrote:
>
> Justin Stottlemyer <justin.h.stottlemyer at gmail.com> writes:
>
>> Tahoe much like a web service should probably run in a semi protected
>> environment as a non privileged user (aka nobody) in most instances. Not a
>> knock to the OP, but I think this is a fairly standard Sys Admin task.
>> While it may not be friendly to the newest of users, it isn't unfriendly.
>
> That's all true, but when one installs packages of many things (as a
> package for a 'distribution' or 'packaging system'), they come with
> their own non-root users. In pkgsrc, installing tahoe causes:
>
> tahoes:*:1023:1024:tahoe server:/nonexistent:/sbin/nologin
>
> but I haven't set up /etc/rc.d/tahoes to read a config file of server
> directories and optional associated uids and start them.
>
>
> The other issue is that tahoe is a capability system and does not have a
> notion of file ownership. So that makes things a bit odd relative to
> typical unix filesystems. A big question is whether there should be
> multiple users sharing a gateway or one gateway process per uid, with
> restricted unix-domain sockets for access. (I am thinking of
> multi-user systems as the general case, since I find that "single-user
> system" is something that rarely exists.)
>
Multiple users of a single gateway are fairly well protected from each
other without any configuration by dint of the capabilities model. If
user A doesn't know a capability that user B uses, then A can't mess
with that capability. There's no need to modify "permissions"
anywhere. That's one appeal of the capability system. Another is
that the access patterns span the whole network, rather than one
machine.
However, there are some things which the gateway provides which aren't
protected by capabilities. From the point of view of size accounting,
last I checked, all data stored by the gateway is lumped together. So
if you had two users, and one uses a 100 gigs, and the other uses 1,
the others on the network will just see that gateway using 101 gigs.
Users sharing a gateway may be able to see progress reports for other
users' operations (but only if the users use weak operation id
tokens), they can all see the network information such as the
introducer furl or list of nodes. Those shouldn't make the users'
*data* vulnerable in any way I can think of.
For further info, check out this ticket, which also includes the use
case of multiple users across machines and one gateway:
https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1665
More information about the tahoe-dev
mailing list