[tahoe-lafs-trac-stream] [tahoe-lafs] #1737: remove "Control Port" (and private/control.furl)

tahoe-lafs trac at tahoe-lafs.org
Thu Dec 20 17:11:58 UTC 2012 

#1737: remove "Control Port" (and private/control.furl)
-------------------------------+----------------------
     Reporter:  warner         |      Owner:
         Type:  task           |     Status:  new
     Priority:  normal         |  Milestone:  1.11.0
    Component:  code-frontend  |    Version:  1.9.1
   Resolution:                 |   Keywords:  security
Launchpad Bug:                 |
-------------------------------+----------------------
Changes (by warner):

 * milestone:  1.10.0 => 1.11.0


Old description:

> There's a little-used "control port" in the tahoe client, accessible
> through Foolscap by someone who can read
> {{{NODEDIR/private/control.furl}}} (which in practice means only the
> node admin). The original idea was to provide a Foolscap-based frontend
> with more features (or at least more security) than the HTTP-based
> frontend. But that never took off, and at this point, there are only two
> consumers:
>
> * automated performance tests in source:src/allmydata/test/check_speed.py
> * automated memory-footprint tests in
> source:src/allmydata/test/check_memory.py
>
> The methods it provides are:
>
> * {{{wait_for_client_connections()}}}
> * {{{upload_from_file_to_uri()}}}
> * {{{download_from_uri_to_file()}}}
> * {{{speed_test()}}}
> * {{{get_memory_usage()}}}
> * {{{measure_peer_response_time()}}}
>
> David-Sarah argues that it provides excess authority, specifically due
> to the fact that the upload/download methods accept local filenames
> (like {{{remote_upload_from_file_to_uri()}}} which accepts a local disk
> filename and uploads it to the grid, returning the filecap, which could
> be used to upload e.g. {{{~/.tahoe/private/aliases.txt}}}. This makes it
> unsafe to share {{{control.furl}}} with anyone who is not supposed to
> get control of the user account running the node.
>
> David-Sarah would like to remove it for 1.10. To do that, we'd need to
> either give up the automated performance and memory-footprint tests, or
> find a way to rewrite them (which would probably mean adding new
> authorities into the HTTP-based webapi, at least for get_memory_usage()
> and measure_peer_response_time()).
>
> We could also address the excess authority by changing the
> upload/download methods (maybe using empty tempfiles of given
> sizes, and *not* accepting a filename at all). That would probably let
> us preserve the automated tests without too many changes.

New description:

 There's a little-used "control port" in the tahoe client, accessible
 through Foolscap by someone who can read
 {{{NODEDIR/private/control.furl}}} (which in practice means only the
 node admin). The original idea was to provide a Foolscap-based frontend
 with more features (or at least more security) than the HTTP-based
 frontend. But that never took off, and at this point, there are only two
 consumers:

 * automated performance tests in source:src/allmydata/test/check_speed.py
 * automated memory-footprint tests in
 source:src/allmydata/test/check_memory.py

 The methods it provides are:

 * {{{wait_for_client_connections()}}}
 * {{{upload_from_file_to_uri()}}}
 * {{{download_from_uri_to_file()}}}
 * {{{speed_test()}}}
 * {{{get_memory_usage()}}}
 * {{{measure_peer_response_time()}}}

 David-Sarah argues that it provides excess authority, specifically due
 to the fact that the upload/download methods accept local filenames
 (like {{{remote_upload_from_file_to_uri()}}} which accepts a local disk
 filename and uploads it to the grid, returning the filecap, which could
 be used to upload e.g. {{{~/.tahoe/private/aliases.txt}}}. This makes it
 unsafe to share {{{control.furl}}} with anyone who is not supposed to
 get control of the user account running the node.

 David-Sarah would like to remove it for 1.10. To do that, we'd need to
 either give up the automated performance and memory-footprint tests, or
 find a way to rewrite them (which would probably mean adding new
 authorities into the HTTP-based webapi, at least for get_memory_usage()
 and measure_peer_response_time()).

 We could also address the excess authority by changing the
 upload/download methods (maybe using empty tempfiles of given
 sizes, and *not* accepting a filename at all). That would probably let
 us preserve the automated tests without too many changes.

--

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1737#comment:1>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list