[tahoe-lafs-trac-stream] [tahoe-lafs] #1737: remove "Control Port" (and private/control.furl)

tahoe-lafs trac at tahoe-lafs.org
Mon May 14 23:56:13 UTC 2012 

#1737: remove "Control Port" (and private/control.furl)
---------------------------+------------------------
 Reporter:  warner         |          Owner:
     Type:  task           |         Status:  new
 Priority:  normal         |      Milestone:  1.10.0
Component:  code-frontend  |        Version:  1.9.1
 Keywords:  security       |  Launchpad Bug:
---------------------------+------------------------
 There's a little-used "control port" in the tahoe client, accessible
 through Foolscap by someone who can read
 {{{NODEDIR/private/control.furl}}} (which in practice means only the
 node admin). The original idea was to provide a Foolscap-based frontend
 with more features (or at least more security) than the HTTP-based
 frontend. But that never took off, and at this point, there are only two
 consumers:

 * automated performance tests in source:src/allmydata/test/check_speed.py
 * automated memory-footprint tests in
 source:src/allmydata/test/check_memory.py

 The methods it provides are:

 * {{{wait_for_client_connections()}}}
 * {{{upload_from_file_to_uri()}}}
 * {{{download_from_uri_to_file()}}}
 * {{{speed_test()}}}
 * {{{get_memory_usage()}}}
 * {{{measure_peer_response_time()}}}

 David-Sarah argues that it provides excess authority, specifically due
 to the fact that the upload/download methods accept local filenames
 (like {{{remote_upload_from_file_to_uri()}}} which accepts a local disk
 filename and uploads it to the grid, returning the filecap, which could
 be used to upload e.g. {{{~/.tahoe/private/aliases.txt}}}. This makes it
 unsafe to share {{{control.furl}}} with anyone who is not supposed to
 get control of the user account running the node.

 David-Sarah would like to remove it for 1.10. To do that, we'd need to
 either give up the automated performance and memory-footprint tests, or
 find a way to rewrite them (which would probably mean adding new
 authorities into the HTTP-based webapi, at least for get_memory_usage()
 and measure_peer_response_time()).

 We could also address the excess authority by changing the
 upload/download methods (maybe using empty tempfiles of given
 sizes, and *not* accepting a filename at all). That would probably let
 us preserve the automated tests without too many changes.

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1737>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list