#1737 closed defect (fixed)
fix excess authority provided by "Control Port" (and private/control.furl)
| Reported by: | warner | Owned by: | daira |
|---|---|---|---|
| Priority: | normal | Milestone: | 1.10.1 |
| Component: | code-frontend | Version: | 1.9.1 |
| Keywords: | security control.furl | Cc: | |
| Launchpad Bug: |
Description (last modified by daira)
There's a little-used "control port" in the tahoe client, accessible through Foolscap by someone who can read NODEDIR/private/control.furl (which in practice means only the node admin). The original idea was to provide a Foolscap-based frontend with more features (or at least more security) than the HTTP-based frontend. But that never took off, and at this point, there are only two consumers:
- automated performance tests in source:src/allmydata/test/check_speed.py
- automated memory-footprint tests in source:src/allmydata/test/check_memory.py
The methods it provides are:
- wait_for_client_connections()
- upload_from_file_to_uri()
- download_from_uri_to_file()
- speed_test()
- get_memory_usage()
- measure_peer_response_time()
Daira argues that it provides excess authority, specifically due to the fact that the upload/download methods accept local filenames (like remote_upload_from_file_to_uri() which accepts a local disk filename and uploads it to the grid, returning the filecap, which could be used to upload e.g. ~/.tahoe/private/aliases. This makes it unsafe to share control.furl with anyone who is not supposed to get control of the user account running the node.
Daira would like to remove it. To do that, we'd need to either give up the automated performance and memory-footprint tests, or find a way to rewrite them (which would probably mean adding new authorities into the HTTP-based webapi, at least for get_memory_usage() and measure_peer_response_time()).
We could also address the excess authority by changing the upload/download methods (maybe using empty tempfiles of given sizes, and *not* accepting a filename at all). That would probably let us preserve the automated tests without too many changes.
Change History (12)
comment:1 Changed at 2012-12-20T17:11:58Z by warner
- Milestone changed from 1.10.0 to 1.11.0
comment:2 Changed at 2013-12-28T13:40:56Z by daira
- Description modified (diff)
- Milestone changed from soon to 1.11.0
- Owner set to daira
- Status changed from new to assigned
comment:3 Changed at 2013-12-28T13:41:28Z by daira
- Milestone changed from 1.11.0 to 1.12.0
comment:4 Changed at 2015-04-12T22:40:46Z by daira
- Milestone changed from 1.12.0 to 1.11.0
comment:5 Changed at 2015-04-12T22:44:36Z by daira
- Cc davidsarah removed
- Description modified (diff)
- Keywords control.furl added
comment:6 Changed at 2015-04-12T22:46:10Z by daira
- Description modified (diff)
comment:7 Changed at 2015-04-12T22:47:25Z by daira
- Type changed from task to defect
comment:8 Changed at 2015-04-21T20:24:06Z by warner
comment:9 Changed at 2015-04-24T17:40:20Z by daira
- Milestone changed from 1.11.0 to 1.10.1
- Summary changed from remove "Control Port" (and private/control.furl) to fix excess authority provided by "Control Port" (and private/control.furl)
Will review.
comment:10 Changed at 2015-04-28T17:32:32Z by daira
Reviewed; suggested a minor cleanup.
comment:11 Changed at 2015-04-28T19:19:27Z by warner
- Resolution set to fixed
- Status changed from assigned to closed
cleanup applied in [341e263]
I've rewritten the memory test to use a different method (using randomly-generated tempfiles), and I've removed the troublesome filename-based upload/download methods. [2eea4e9] removed the methods, and [f0e783e] contains the fixed memory test.
The current list of control-port methods is: