[tahoe-lafs-trac-stream] [Tahoe-LAFS] #1737: remove "Control Port" (and private/control.furl)
Tahoe-LAFS
trac at tahoe-lafs.org
Sun Apr 12 22:46:11 UTC 2015
#1737: remove "Control Port" (and private/control.furl)
-------------------------------+-----------------------------------
Reporter: warner | Owner: daira
Type: task | Status: assigned
Priority: normal | Milestone: 1.11.0
Component: code-frontend | Version: 1.9.1
Resolution: | Keywords: security control.furl
Launchpad Bug: |
-------------------------------+-----------------------------------
Description changed by daira:
Old description:
> There's a little-used "control port" in the tahoe client, accessible
> through Foolscap by someone who can read
> {{{NODEDIR/private/control.furl}}} (which in practice means only the node
> admin). The original idea was to provide a Foolscap-based frontend with
> more features (or at least more security) than the HTTP-based frontend.
> But that never took off, and at this point, there are only two consumers:
>
> * automated performance tests in source:src/allmydata/test/check_speed.py
> * automated memory-footprint tests in
> source:src/allmydata/test/check_memory.py
>
> The methods it provides are:
>
> * {{{wait_for_client_connections()}}}
> * {{{upload_from_file_to_uri()}}}
> * {{{download_from_uri_to_file()}}}
> * {{{speed_test()}}}
> * {{{get_memory_usage()}}}
> * {{{measure_peer_response_time()}}}
>
> Daira argues that it provides excess authority, specifically due to the
> fact that the upload/download methods accept local filenames
> (like {{{remote_upload_from_file_to_uri()}}} which accepts a local disk
> filename and uploads it to the grid, returning the filecap, which could
> be used to upload e.g. {{{~/.tahoe/private/aliases}}}. This makes it
> unsafe to share {{{control.furl}}} with anyone who is not supposed to get
> control of the user account running the node.
>
> Daira would like to remove it. To do that, we'd need to either give up
> the automated performance and memory-footprint tests, or find a way to
> rewrite them (which would probably mean adding new authorities into the
> HTTP-based webapi, at least for get_memory_usage() and
> measure_peer_response_time()).
>
> We could also address the excess authority by changing the
> upload/download methods (maybe using empty tempfiles of given sizes, and
> *not* accepting a filename at all). That would probably let us preserve
> the automated tests without too many changes.
New description:
There's a little-used "control port" in the tahoe client, accessible
through Foolscap by someone who can read
{{{NODEDIR/private/control.furl}}} (which in practice means only the node
admin). The original idea was to provide a Foolscap-based frontend with
more features (or at least more security) than the HTTP-based frontend.
But that never took off, and at this point, there are only two consumers:
* automated performance tests in source:src/allmydata/test/check_speed.py
* automated memory-footprint tests in
source:src/allmydata/test/check_memory.py
The methods it provides are:
* {{{wait_for_client_connections()}}}
* {{{upload_from_file_to_uri()}}}
* {{{download_from_uri_to_file()}}}
* {{{speed_test()}}}
* {{{get_memory_usage()}}}
* {{{measure_peer_response_time()}}}
Daira argues that it provides excess authority, specifically due to the
fact that the upload/download methods accept local filenames (like
{{{remote_upload_from_file_to_uri()}}} which accepts a local disk filename
and uploads it to the grid, returning the filecap, which could be used to
upload e.g. {{{~/.tahoe/private/aliases}}}. This makes it unsafe to share
{{{control.furl}}} with anyone who is not supposed to get control of the
user account running the node.
Daira would like to remove it. To do that, we'd need to either give up the
automated performance and memory-footprint tests, or find a way to rewrite
them (which would probably mean adding new authorities into the HTTP-based
webapi, at least for get_memory_usage() and measure_peer_response_time()).
We could also address the excess authority by changing the upload/download
methods (maybe using empty tempfiles of given sizes, and *not* accepting a
filename at all). That would probably let us preserve the automated tests
without too many changes.
--
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1737#comment:6>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list