#587 new defect

Web nodes provide ambient upload authority

Reported by: toby.murray Owned by: daira
Priority: major Milestone: soon
Component: code-frontend-web Version: 1.2.0
Keywords: upload security accounting LeastAuthority.com websec Cc: vikarti@…
Launchpad Bug:

Description (last modified by zooko)

Under the current webapi, nodes offer ambient upload authority to any host that can send them web requests. There are deployment scenarios for Tahoe in which this behaviour is undesirable.

A means to disable this behaviour would be useful. In particular, being able to turn this behaviour off via a setting in tahoe.cfg could be good.

Discussion surrounding this issue can be found in the thread starting here: http://allmydata.org/pipermail/tahoe-dev/2009-January/001015.html

Attachments (2)

patch.ambient_upload_authority (6.0 KB) - added by toby.murray at 2009-01-17T01:49:50Z.
A patch to add 'web.ambient_upload_authority' as a paramater to tahoe.cfg
test_ambient_upload_authority.py (3.7 KB) - added by toby.murray at 2009-01-17T01:50:30Z.
A test case for this configuration parameter with one test for each of its two boolean states

Download all attachments as: .zip

Change History (20)

Changed at 2009-01-17T01:49:50Z by toby.murray

A patch to add 'web.ambient_upload_authority' as a paramater to tahoe.cfg

Changed at 2009-01-17T01:50:30Z by toby.murray

A test case for this configuration parameter with one test for each of its two boolean states

comment:1 Changed at 2009-01-18T15:45:04Z by zooko

  • Owner set to zooko
  • Status changed from new to assigned

Thanks! I'm looking at your patch.

comment:2 Changed at 2009-01-18T17:24:58Z by zooko

  • Resolution set to fixed
  • Status changed from assigned to closed

fixed by 66f83c7356a79978. I have some more questions about this topic which I'll post to the mailing list.

comment:3 Changed at 2010-04-25T20:35:33Z by francois

  • Resolution fixed deleted
  • Status changed from closed to reopened

comment:4 Changed at 2010-04-26T11:26:48Z by francois

The patch has been reverted by Zooko.

comment:5 Changed at 2010-06-12T22:18:50Z by davidsarah

  • Keywords upload security accounting added

comment:6 Changed at 2011-01-06T08:13:15Z by davidsarah

See #1215 (add CORS support), which is blocked by at least this issue.

comment:7 Changed at 2011-07-31T04:48:38Z by davidsarah

See also #1455, about UI redressing attacks on the ambiently accessible pages.

comment:8 Changed at 2011-12-12T04:13:43Z by davidsarah

  • Keywords lae added
  • Milestone changed from undecided to 1.10.0
  • Owner changed from zooko to davidsarah
  • Status changed from reopened to new

In LAE's Tahoe-LAFS-on-S3 service (and possibly other cases when we have accounting), a customer who made a public gateway accessible would have to pay for storage of any files uploaded via that gateway, which puts a real cramp on sharing.

comment:9 Changed at 2011-12-12T04:14:01Z by davidsarah

  • Status changed from new to assigned

comment:10 Changed at 2012-02-12T05:13:22Z by vikarti

  • Cc vikarti@… added

comment:11 Changed at 2013-01-04T20:29:07Z by zooko

  • Keywords LeastAuthority.com added; lae removed

comment:12 Changed at 2013-09-14T17:39:34Z by zooko

  • Description modified (diff)
  • Keywords websec added

comment:13 Changed at 2015-04-12T21:43:37Z by daira

  • Milestone changed from soon to 1.12.0
  • Owner changed from davidsarah to daira
  • Status changed from assigned to new

comment:14 Changed at 2016-03-22T05:02:25Z by warner

  • Milestone changed from 1.12.0 to 1.13.0

Milestone renamed

comment:15 Changed at 2016-06-28T18:17:14Z by warner

  • Milestone changed from 1.13.0 to 1.14.0

renaming milestone

comment:16 Changed at 2019-05-29T20:11:02Z by exarkun

Reading the mailing list thread, it seems like the change was reverted because it only allows the removal of the ambient authority to perform "unlinked" writes - in other words, to create brand new "top-level" shares. This is easily subverted by a malicious client who has any single write-cap for the system.

So is it actually possible to fix this issue without some much larger change - eg, "Accounting"?

comment:17 Changed at 2020-06-30T14:45:13Z by exarkun

  • Milestone changed from 1.14.0 to 1.15.0

Moving open issues out of closed milestones.

comment:18 Changed at 2021-03-30T18:40:19Z by meejah

  • Milestone changed from 1.15.0 to soon

Ticket retargeted after milestone closed

Note: See TracTickets for help on using tickets.