Opened at 2009-01-17T01:47:14Z
Last modified at 2021-03-30T18:40:19Z
#587 new defect
Web nodes provide ambient upload authority
| Reported by: | toby.murray | Owned by: | daira |
|---|---|---|---|
| Priority: | major | Milestone: | soon |
| Component: | code-frontend-web | Version: | 1.2.0 |
| Keywords: | upload security accounting LeastAuthority.com websec | Cc: | vikarti@… |
| Launchpad Bug: |
Description (last modified by zooko) ¶
Under the current webapi, nodes offer ambient upload authority to any host that can send them web requests. There are deployment scenarios for Tahoe in which this behaviour is undesirable.
A means to disable this behaviour would be useful. In particular, being able to turn this behaviour off via a setting in tahoe.cfg could be good.
Discussion surrounding this issue can be found in the thread starting here: http://allmydata.org/pipermail/tahoe-dev/2009-January/001015.html
Change History (20)
Changed at 2009-01-17T01:49:50Z by toby.murray
Changed at 2009-01-17T01:50:30Z by toby.murray
A test case for this configuration parameter with one test for each of its two boolean states
comment:1 Changed at 2009-01-18T15:45:04Z by zooko
- Owner set to zooko
- Status changed from new to assigned
Thanks! I'm looking at your patch.
comment:2 Changed at 2009-01-18T17:24:58Z by zooko
- Resolution set to fixed
- Status changed from assigned to closed
fixed by 66f83c7356a79978. I have some more questions about this topic which I'll post to the mailing list.
comment:3 Changed at 2010-04-25T20:35:33Z by francois
- Resolution fixed deleted
- Status changed from closed to reopened
comment:4 Changed at 2010-04-26T11:26:48Z by francois
The patch has been reverted by Zooko.
comment:5 Changed at 2010-06-12T22:18:50Z by davidsarah
- Keywords upload security accounting added
comment:6 Changed at 2011-01-06T08:13:15Z by davidsarah
See #1215 (add CORS support), which is blocked by at least this issue.
comment:7 Changed at 2011-07-31T04:48:38Z by davidsarah
See also #1455, about UI redressing attacks on the ambiently accessible pages.
comment:8 Changed at 2011-12-12T04:13:43Z by davidsarah
- Keywords lae added
- Milestone changed from undecided to 1.10.0
- Owner changed from zooko to davidsarah
- Status changed from reopened to new
In LAE's Tahoe-LAFS-on-S3 service (and possibly other cases when we have accounting), a customer who made a public gateway accessible would have to pay for storage of any files uploaded via that gateway, which puts a real cramp on sharing.
comment:9 Changed at 2011-12-12T04:14:01Z by davidsarah
- Status changed from new to assigned
comment:10 Changed at 2012-02-12T05:13:22Z by vikarti
- Cc vikarti@… added
comment:11 Changed at 2013-01-04T20:29:07Z by zooko
- Keywords LeastAuthority.com added; lae removed
comment:12 Changed at 2013-09-14T17:39:34Z by zooko
- Description modified (diff)
- Keywords websec added
comment:13 Changed at 2015-04-12T21:43:37Z by daira
- Milestone changed from soon to 1.12.0
- Owner changed from davidsarah to daira
- Status changed from assigned to new
comment:14 Changed at 2016-03-22T05:02:25Z by warner
- Milestone changed from 1.12.0 to 1.13.0
Milestone renamed
comment:15 Changed at 2016-06-28T18:17:14Z by warner
- Milestone changed from 1.13.0 to 1.14.0
renaming milestone
comment:16 Changed at 2019-05-29T20:11:02Z by exarkun
Reading the mailing list thread, it seems like the change was reverted because it only allows the removal of the ambient authority to perform "unlinked" writes - in other words, to create brand new "top-level" shares. This is easily subverted by a malicious client who has any single write-cap for the system.
So is it actually possible to fix this issue without some much larger change - eg, "Accounting"?
comment:17 Changed at 2020-06-30T14:45:13Z by exarkun
- Milestone changed from 1.14.0 to 1.15.0
Moving open issues out of closed milestones.
comment:18 Changed at 2021-03-30T18:40:19Z by meejah
- Milestone changed from 1.15.0 to soon
Ticket retargeted after milestone closed
A patch to add 'web.ambient_upload_authority' as a paramater to tahoe.cfg