[tahoe-dev] Tahoe-LAFS is widely misunderstood

[Scott Dial]

On 2/2/2011 2:10 PM, Brian Warner wrote:
> On 2/1/11 5:36 PM, Greg Troxel wrote:
>>   Removal of CLI and WUI, and using only FUSE. This is the aspeect I'm
>>   most in favor of.
> 
> My problem with FUSE as the primary entry point is that it loses the
> whole least-authority model. The POSIX filesystem APIs don't expose
> things like retrieving a dircap for the subdirectory that you want to
> share with a friend, so the easiest thing to do is to share your whole
> rootcap with somebody, the equivalent of sharing passwords from the
> bad-old-days.

Why can't you use POSIX extended attributes for this feature?

% mount-pubgrid
% cd /home/scott/pubgrid/shared_with_brian
% attr -g writecap .
URI:DIR2:xxx...:yyy...
% attr -g readcap .
URI:DIR2-RO:xxx...:yyy...
% attr -g verifycap .
URI:DIR2-Verifier:xxx...:yyy...

FUSE has getxattr, and Tahoe-LAFS doesn't support storing extended
attributes, so the extended attribute namespace seems ripe for use for
this purpose (and perhaps other non-standard interface needs?).

> It also doesn't let you write programs that are restricted
> to interacting with just a subset of your filesystem, so all the usual
> Confused Deputy vulnerabilities are still around.

I'm not sure how you would do that currently that isn't completely
equivalent to mounting a dircap (and using traditional POSIX filesystem
security techniques) for that program.

-- 
Scott Dial
scott at scottdial.com
scodial at cs.indiana.edu

-- 
Scott Dial
scott at scottdial.com
scodial at cs.indiana.edu