[tahoe-lafs-trac-stream] [Tahoe-LAFS] #1737: remove "Control Port" (and private/control.furl)

Sun Apr 12 22:46:11 UTC 2015

#1737: remove "Control Port" (and private/control.furl)
-------------------------------+-----------------------------------
     Reporter:  warner         |      Owner:  daira
         Type:  task           |     Status:  assigned
     Priority:  normal         |  Milestone:  1.11.0
    Component:  code-frontend  |    Version:  1.9.1
   Resolution:                 |   Keywords:  security control.furl
Launchpad Bug:                 |
-------------------------------+-----------------------------------
Description changed by daira:

Old description:

> There's a little-used "control port" in the tahoe client, accessible
> through Foolscap by someone who can read
> {{{NODEDIR/private/control.furl}}} (which in practice means only the node
> admin). The original idea was to provide a Foolscap-based frontend with
> more features (or at least more security) than the HTTP-based frontend.
> But that never took off, and at this point, there are only two consumers:
>
> * automated performance tests in source:src/allmydata/test/check_speed.py
> * automated memory-footprint tests in
> source:src/allmydata/test/check_memory.py
>
> The methods it provides are:
>
> * {{{wait_for_client_connections()}}}
> * {{{upload_from_file_to_uri()}}}
> * {{{download_from_uri_to_file()}}}
> * {{{speed_test()}}}
> * {{{get_memory_usage()}}}
> * {{{measure_peer_response_time()}}}
>
> Daira argues that it provides excess authority, specifically due to the
> fact that the upload/download methods accept local filenames
> (like {{{remote_upload_from_file_to_uri()}}} which accepts a local disk
> filename and uploads it to the grid, returning the filecap, which could
> be used to upload e.g. {{{~/.tahoe/private/aliases}}}. This makes it
> unsafe to share {{{control.furl}}} with anyone who is not supposed to get
> control of the user account running the node.
>
> Daira would like to remove it. To do that, we'd need to either give up
> the automated performance and memory-footprint tests, or find a way to
> rewrite them (which would probably mean adding new authorities into the
> HTTP-based webapi, at least for get_memory_usage() and
> measure_peer_response_time()).
>
> We could also address the excess authority by changing the
> upload/download methods (maybe using empty tempfiles of given sizes, and
> *not* accepting a filename at all). That would probably let us preserve
> the automated tests without too many changes.

New description:

 There's a little-used "control port" in the tahoe client, accessible
 through Foolscap by someone who can read
 {{{NODEDIR/private/control.furl}}} (which in practice means only the node
 admin). The original idea was to provide a Foolscap-based frontend with
 more features (or at least more security) than the HTTP-based frontend.
 But that never took off, and at this point, there are only two consumers:

 * automated performance tests in source:src/allmydata/test/check_speed.py
 * automated memory-footprint tests in
 source:src/allmydata/test/check_memory.py

 The methods it provides are:

 * {{{wait_for_client_connections()}}}
 * {{{upload_from_file_to_uri()}}}
 * {{{download_from_uri_to_file()}}}
 * {{{speed_test()}}}
 * {{{get_memory_usage()}}}
 * {{{measure_peer_response_time()}}}

 Daira argues that it provides excess authority, specifically due to the
 fact that the upload/download methods accept local filenames (like
 {{{remote_upload_from_file_to_uri()}}} which accepts a local disk filename
 and uploads it to the grid, returning the filecap, which could be used to
 upload e.g. {{{~/.tahoe/private/aliases}}}. This makes it unsafe to share
 {{{control.furl}}} with anyone who is not supposed to get control of the
 user account running the node.

 Daira would like to remove it. To do that, we'd need to either give up the
 automated performance and memory-footprint tests, or find a way to rewrite
 them (which would probably mean adding new authorities into the HTTP-based
 webapi, at least for get_memory_usage() and measure_peer_response_time()).

 We could also address the excess authority by changing the upload/download
 methods (maybe using empty tempfiles of given sizes, and *not* accepting a
 filename at all). That would probably let us preserve the automated tests
 without too many changes.

--

--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1737#comment:6>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage