Opened at 2012-05-14T23:56:11Z
Last modified at 2015-04-28T22:36:14Z
#1737 closed defect
remove "Control Port" (and private/control.furl) — at Version 2
Reported by: | warner | Owned by: | daira |
---|---|---|---|
Priority: | normal | Milestone: | 1.10.1 |
Component: | code-frontend | Version: | 1.9.1 |
Keywords: | security control.furl | Cc: | |
Launchpad Bug: |
Description (last modified by daira)
There's a little-used "control port" in the tahoe client, accessible through Foolscap by someone who can read NODEDIR/private/control.furl (which in practice means only the node admin). The original idea was to provide a Foolscap-based frontend with more features (or at least more security) than the HTTP-based frontend. But that never took off, and at this point, there are only two consumers:
- automated performance tests in source:src/allmydata/test/check_speed.py
- automated memory-footprint tests in source:src/allmydata/test/check_memory.py
The methods it provides are:
- wait_for_client_connections()
- upload_from_file_to_uri()
- download_from_uri_to_file()
- speed_test()
- get_memory_usage()
- measure_peer_response_time()
David-Sarah argues that it provides excess authority, specifically due to the fact that the upload/download methods accept local filenames (like remote_upload_from_file_to_uri() which accepts a local disk filename and uploads it to the grid, returning the filecap, which could be used to upload e.g. ~/.tahoe/private/aliases.txt. This makes it unsafe to share control.furl with anyone who is not supposed to get control of the user account running the node.
David-Sarah would like to remove it for 1.10. To do that, we'd need to either give up the automated performance and memory-footprint tests, or find a way to rewrite them (which would probably mean adding new authorities into the HTTP-based webapi, at least for get_memory_usage() and measure_peer_response_time()).
We could also address the excess authority by changing the upload/download methods (maybe using empty tempfiles of given sizes, and *not* accepting a filename at all). That would probably let us preserve the automated tests without too many changes.
Change History (2)
comment:1 Changed at 2012-12-20T17:11:58Z by warner
- Milestone changed from 1.10.0 to 1.11.0
comment:2 Changed at 2013-12-28T13:40:56Z by daira
- Description modified (diff)
- Milestone changed from soon to 1.11.0
- Owner set to daira
- Status changed from new to assigned