[tahoe-dev] Authority to DoS via WAPI

Brian Warner warner-tahoe at allmydata.com
Thu Jan 15 02:21:29 UTC 2009


> I see where you're going with this and take your point. However, I'm
> still not convinced for the need to provide ambient authority to upload
> to the grid. Were these operations included in the API other than for
> bootstrapping?

Kind of. If you think of Tahoe as you would a traditional local filesystem,
then it's hard to imagine wanting to create a brand-new unlinked file or
directory: you've got your "one true root", and everything that you can reach
has a name.

But from another point of view, Tahoe is all about caps, rather than names.
This viewpoint considers an unlinked file to be primary. In this view, "PUT
/uri" is one of the two fundamental Tahoe operations ("GET /uri/$FILECAP"
being the other). Everything else is just organizational convenience. This
layer effectively implements a secure distributed table (filecap<->data), and
if you keep track of the filecaps yourself, you never need to use
directories.

If you'd like to keep track of fewer caps, you can put most of your
filecaps/dircaps in a directory, and just remember that one "root" dircap.
But it's important to remember that there's nothing Singleton-ish about this
dircap: somebody else on the same grid might use a different starting point.

We tend to emphasize the latter viewpoint, since it reminds people of the
capability scheme (DIRCAP/foo/bar.txt reveals too much, the filecap for
bar.txt is much less authority), and because you can synthesize the more
traditional view from the cap-oriented primitives.

Also, if you had a single root directory and required everything else to be a
child of that one, then whoever holds that rootcap will get to read everybody
else's file (no privacy from the creator). That's not the sort of property
that customers of a commercial backup service tend to care for :).

> At any rate, I've appended a patch (to apply in src/allmydata with -p1)
> to turn off the "ambient authority" wapi interfaces unless
> "web.ambient_authority = true" is in the [node] section of tahoe.cfg

Cool! Thanks! We might just apply this, although perhaps with the default
value swapped.

cheers,
 -Brian




More information about the tahoe-dev mailing list