#187 closed defect (duplicate)

security flaw: directory server can escalate read access into write access

Reported by: zooko Owned by: nobody
Priority: critical Milestone: 0.7.0
Component: unknown Version: 0.6.1
Keywords: security access-control directory Cc:
Launchpad Bug:

Description

The current scheme to prevent users who haven't been granted write access from writing updates to directories doesn't prevent the server that hosts the directory from writing to it if the server has been granted read access to the directory.

That is: the intent is that you can grant a person read-only access while withholding read-write access, and this intent works as far as the person doesn't control the directory server, but if you grant read access to the directory server then it can also gain write access, which wasn't intended.

For example, the current test grid is configured so that everyone uses the same directory server (because the vdrive.furl file that you put into your node directory before you launch your node points to that server). If you give one of the allmydata folks a read-only view on a directory of yours, we can use that read access plus our control of the directory server to change the contents of your directory.

Change History (2)

comment:1 Changed at 2007-11-01T17:09:48Z by zooko

  • Resolution set to duplicate
  • Status changed from new to closed

Small Distributed Mutable Files will fix this. Merging into #197.

comment:2 Changed at 2007-11-01T18:12:49Z by zooko

  • Milestone changed from 0.6.2 to 0.7.0

Milestone 0.6.2 deleted

Note: See TracTickets for help on using tickets.