[tahoe-lafs-trac-stream] [tahoe-lafs] #1535: Allow restricting Tahoe-LAFS gateway to one user by supporting Unix sockets
tahoe-lafs
trac at tahoe-lafs.org
Tue Jan 21 20:43:15 UTC 2014
#1535: Allow restricting Tahoe-LAFS gateway to one user by supporting Unix sockets
-------------------------+-------------------------------------------------
Reporter: | Owner:
LoneTech | Status: new
Type: | Milestone: eventually
enhancement | Version: 1.8.2
Priority: major | Keywords: wui cli socket unix security
Component: code- | confidentiality integrity capleak
frontend-cli |
Resolution: |
Launchpad Bug: |
-------------------------+-------------------------------------------------
Changes (by daira):
* milestone: soon => eventually
Old description:
> It's fairly easy to limit the node interface, by setting something like:
> web.port = unix:/home/$USER/.tahoe/websocket:mode=600
>
> The problem is, web browsers can't connect to it. That much is expected,
> but neither can the tahoe CLI. It refuses any node.url that does not
> begin with http or https, and I found no way to make it connect to a UNIX
> socket.
>
> The downside with a TCP socket is it lets all local users use the
> filesystem, even if they can't find your files in it without the caps.
New description:
It's fairly easy to limit the node interface, by setting something like:
web.port = unix:/home/$USER/.tahoe/websocket:mode=600
The problem is, web browsers can't connect to it. That much is expected,
but neither can the tahoe CLI. It refuses any node.url that does not begin
with http or https, and I found no way to make it connect to a UNIX
socket.
The downside with a TCP socket is it lets all local users use the
filesystem, even if they can't find your files in it without the caps.
--
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1535#comment:2>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list