Opened at 2009-01-17T01:47:14Z
Last modified at 2021-03-30T18:40:19Z
#587 new defect
Web nodes provide ambient upload authority
| Reported by: | toby.murray | Owned by: | daira |
|---|---|---|---|
| Priority: | major | Milestone: | soon |
| Component: | code-frontend-web | Version: | 1.2.0 |
| Keywords: | upload security accounting LeastAuthority.com websec | Cc: | vikarti@… |
| Launchpad Bug: |
Description (last modified by zooko)
Under the current webapi, nodes offer ambient upload authority to any host that can send them web requests. There are deployment scenarios for Tahoe in which this behaviour is undesirable.
A means to disable this behaviour would be useful. In particular, being able to turn this behaviour off via a setting in tahoe.cfg could be good.
Discussion surrounding this issue can be found in the thread starting here: http://allmydata.org/pipermail/tahoe-dev/2009-January/001015.html
Attachments (2)
Change History (20)
Changed at 2009-01-17T01:49:50Z by toby.murray
Changed at 2009-01-17T01:50:30Z by toby.murray
A test case for this configuration parameter with one test for each of its two boolean states
comment:1 Changed at 2009-01-18T15:45:04Z by zooko
- Owner set to zooko
- Status changed from new to assigned
Thanks! I'm looking at your patch.
comment:2 Changed at 2009-01-18T17:24:58Z by zooko
- Resolution set to fixed
- Status changed from assigned to closed
fixed by 66f83c7356a79978. I have some more questions about this topic which I'll post to the mailing list.
comment:3 Changed at 2010-04-25T20:35:33Z by francois
- Resolution fixed deleted
- Status changed from closed to reopened
comment:4 Changed at 2010-04-26T11:26:48Z by francois
The patch has been reverted by Zooko.
comment:5 Changed at 2010-06-12T22:18:50Z by davidsarah
- Keywords upload security accounting added
comment:6 Changed at 2011-01-06T08:13:15Z by davidsarah
See #1215 (add CORS support), which is blocked by at least this issue.
comment:7 Changed at 2011-07-31T04:48:38Z by davidsarah
See also #1455, about UI redressing attacks on the ambiently accessible pages.
comment:8 Changed at 2011-12-12T04:13:43Z by davidsarah
- Keywords lae added
- Milestone changed from undecided to 1.10.0
- Owner changed from zooko to davidsarah
- Status changed from reopened to new
In LAE's Tahoe-LAFS-on-S3 service (and possibly other cases when we have accounting), a customer who made a public gateway accessible would have to pay for storage of any files uploaded via that gateway, which puts a real cramp on sharing.
comment:9 Changed at 2011-12-12T04:14:01Z by davidsarah
- Status changed from new to assigned
comment:10 Changed at 2012-02-12T05:13:22Z by vikarti
- Cc vikarti@… added
comment:11 Changed at 2013-01-04T20:29:07Z by zooko
- Keywords LeastAuthority.com added; lae removed
comment:12 Changed at 2013-09-14T17:39:34Z by zooko
- Description modified (diff)
- Keywords websec added
comment:13 Changed at 2015-04-12T21:43:37Z by daira
- Milestone changed from soon to 1.12.0
- Owner changed from davidsarah to daira
- Status changed from assigned to new
comment:14 Changed at 2016-03-22T05:02:25Z by warner
- Milestone changed from 1.12.0 to 1.13.0
Milestone renamed
comment:15 Changed at 2016-06-28T18:17:14Z by warner
- Milestone changed from 1.13.0 to 1.14.0
renaming milestone
comment:16 Changed at 2019-05-29T20:11:02Z by exarkun
Reading the mailing list thread, it seems like the change was reverted because it only allows the removal of the ambient authority to perform "unlinked" writes - in other words, to create brand new "top-level" shares. This is easily subverted by a malicious client who has any single write-cap for the system.
So is it actually possible to fix this issue without some much larger change - eg, "Accounting"?
comment:17 Changed at 2020-06-30T14:45:13Z by exarkun
- Milestone changed from 1.14.0 to 1.15.0
Moving open issues out of closed milestones.
comment:18 Changed at 2021-03-30T18:40:19Z by meejah
- Milestone changed from 1.15.0 to soon
Ticket retargeted after milestone closed
A patch to add 'web.ambient_upload_authority' as a paramater to tahoe.cfg