[tahoe-dev] Tahoe Access Control
Zooko O'Whielacronx
zooko at zooko.com
Thu Jun 2 22:04:30 PDT 2011
> So with a writecap, a read operation returns the subdir writecap?
> Do directories have both, always?
Not always. If you have a writecap to a file and you are going to add
a link to that file as a child link in a directory, you get to choose
whether to make the child link be a writecap or a readcap to that
file. If you add a writecap, then people who hold a writecap to the
parent directory will get a writecap to that child but people who hold
only a readcap to the parent directory will get only a readcap to the
child. If you put a readcap, then whether or not they hold a writecap
to the parent they'll get a readcap to the child.
The result is that readonliness, like immutability, is transitive when
traversing Tahoe-LAFS directories. Once you follow a readonly link to
a directory, then you'll only find readonly (or immutable) links after
that. Once you follow an immutable link to a directory, then you'll
only get immutable links after that. But, if you have the more
powerful caps you can still find less powerful caps in a directory, so
if you have a readonly cap you can find either readonly or immutable
children, and if you have a writecap you can find either writeable,
readonly, or immutable children.
It's a pretty cool idea! I suspect there are a lot of useful security
constructions that you can build using this. I think it was mostly due
to Brian Warner (like much of Tahoe-LAFS's design).
If you can see any way to improve this documentation about this:
http://tahoe-lafs.org/trac/tahoe-lafs/browser/trunk/docs/about.rst#access-control
Or this more detailed documentation:
http://tahoe-lafs.org/trac/tahoe-lafs/wiki/Capabilities
Then please submit a patch. :-)
Regards,
Zooko
More information about the tahoe-dev
mailing list