tahoe-lafs
/
trac-2024-07-25
2
0
Issues 1.1k Wiki

SFTP: semantics of writing an entry to an immutable file in a writeable directory #1063

New Issue
Closed
opened 2010-05-31 04:02:21 +00:00 by davidsarah · 2 comments
davidsarah commented 2010-05-31 04:02:21 +00:00
Owner
Copy Link

If we have a write cap to a Tahoe directory, or write permission to a Unix directory, we can always replace entries in that directory.

In Unix filesystems, there are also write permission bits on individual files. If the applicable write permission bit is not set on a file, then attempts to open the file for writing will fail with an EPERM error, even though the directory entry could be changed to refer to a different file.

(Note that, non-standard extensions aside, files/inodes in a Unix filesystem are mutable. If a file is hardlinked from two directory entries, the hardlinks are aliases to the same mutable file/inode object.)

The previous SFTP code did not support the case of a non-writeable file in a writeable directory. I.e. if the path passed to an open request with FXF_WRITE or FXF_CREAT flags refers to an immutable file at the time of the open, then the request will succeed, and the directory entry will be changed to refer to a new immutable file when the handle is closed.

This is also true for the new implementation as of ticket1037 r4377, but in addition we support opening mutable files. A read-only mutable file (that is, one whose entry in the parent directory is a read cap) cannot be opened for writing, even when the parent directory is writeable.

Zooko expressed concern on IRC that the ability to express non-writeable directory entries referring to mutable files, but not to immutable files, was inconsistent and might cause compatibility problems. (I hope I've expressed his concern correctly.)

I propose to address that by adding an optional "no-write" field in the metadata of directory entries. The default would be False. When this field is set to a non-empty string in an entry pointing to an immutable file, the write permission bits reflected to SFTP clients would have the 'write' bits cleared, and attempts to open the entry for writing would fail. (The field would have no effect on entries pointing to directories, unknowns, or mutable files.)

Note that the permissions reflected to SFTP clients always have 'owner', 'group' and 'world' bitfields the same. When the permissions are set by a client, the value of 'no-write' would be taken from the owner write bit.

Pros:

  • applications that rely on getting an EPERM error when opening a file for writing when the file 'write' permission is not set, will work correctly.
  • since files not created via SFTP, or files created via SFTP with 'owner' write permission, will be automatically replaced on write as they are now, there is little usability cost in the common case.
  • clearing the write bit might be useful to prevent accidental overwriting of a directory entry.

Cons:

  • the model is slightly more complicated (but no more so than POSIX/Unix).
  • the cleared write bit may appear to be a security restriction, but isn't.
  • the semantics are still not quite the same as POSIX/Unix. Unix file permissions are on inodes; Tahoe metadata is on directory entries. So for example, if a file is linked from two directory entries, in Unix a 'chmod' on that file via either path will affect attempts to open the file via the other path, whereas in Tahoe (via sshfs, say), only the specified directory entry would be changed. This is unlikely to make much difference in practice.
If we have a write cap to a Tahoe directory, or write permission to a Unix directory, we can always replace entries in that directory. In Unix filesystems, there are also write permission bits on individual files. If the applicable write permission bit is not set on a file, then attempts to open the file for writing will fail with an EPERM error, even though the directory entry could be changed to refer to a different file. (Note that, non-standard extensions aside, files/inodes in a Unix filesystem are mutable. If a file is hardlinked from two directory entries, the hardlinks are aliases to the same mutable file/inode object.) The previous SFTP code did not support the case of a non-writeable file in a writeable directory. I.e. if the path passed to an open request with FXF_WRITE or FXF_CREAT flags refers to an immutable file at the time of the open, then the request will succeed, and the directory entry will be changed to refer to a new immutable file when the handle is closed. This is also true for the new implementation as of [ticket1037 r4377](http://allmydata.org/trac/tahoe-lafs-ticket1037/browser/src/allmydata/frontends/sftpd.py?rev=4377), but in addition we support opening mutable files. A read-only mutable file (that is, one whose entry in the parent directory is a read cap) cannot be opened for writing, even when the parent directory is writeable. Zooko expressed concern on IRC that the ability to express non-writeable directory entries referring to mutable files, but not to immutable files, was inconsistent and might cause compatibility problems. (I hope I've expressed his concern correctly.) I propose to address that by adding an optional "`no-write`" field in the metadata of directory entries. The default would be False. When this field is set to a non-empty string in an entry pointing to an immutable file, the write permission bits reflected to SFTP clients would have the 'write' bits cleared, and attempts to open the entry for writing would fail. (The field would have no effect on entries pointing to directories, unknowns, or mutable files.) Note that the permissions reflected to SFTP clients always have 'owner', 'group' and 'world' bitfields the same. When the permissions are set by a client, the value of 'no-write' would be taken from the owner write bit. Pros: * applications that rely on getting an EPERM error when opening a file for writing when the file 'write' permission is not set, will work correctly. * since files not created via SFTP, or files created via SFTP with 'owner' write permission, will be automatically replaced on write as they are now, there is little usability cost in the common case. * clearing the write bit might be useful to prevent *accidental* overwriting of a directory entry. Cons: * the model is slightly more complicated (but no more so than POSIX/Unix). * the cleared write bit may appear to be a security restriction, but isn't. * the semantics are still not quite the same as POSIX/Unix. Unix file permissions are on inodes; Tahoe metadata is on directory entries. So for example, if a file is linked from two directory entries, in Unix a 'chmod' on that file via either path will affect attempts to open the file via the other path, whereas in Tahoe (via sshfs, say), only the specified directory entry would be changed. This is unlikely to make much difference in practice.
tahoe-lafs added the
code-frontend
major
defect
1.6.1
 labels 2010-05-31 04:02:21 +00:00
tahoe-lafs added this to the 1.7.0 milestone 2010-05-31 04:02:21 +00:00
davidsarah commented 2010-05-31 17:13:27 +00:00
Author
Owner
Copy Link

A closely related issue is what should happen when you clear the owner write bit on an entry pointing to a mutable file or mutable directory. This could diminish the write cap to a read cap. However, unlike the corresponding operation on Unix permissions (for the file owner), that would not be reversible -- it would not be possible to restore the write cap by changing the permissions back.

The advantage of this is that you would be able to use chmod to create read-only structures in the Tahoe filesystem. Without it, there is no way to create a read-only link to a mutable directory (or file) just using SFTP.

A closely related issue is what should happen when you clear the owner write bit on an entry pointing to a mutable file or mutable directory. This *could* diminish the write cap to a read cap. However, unlike the corresponding operation on Unix permissions (for the file owner), that would not be reversible -- it would not be possible to restore the write cap by changing the permissions back. The advantage of this is that you would be able to use `chmod` to create read-only structures in the Tahoe filesystem. Without it, there is no way to create a read-only link to a mutable directory (or file) just using SFTP.
zooko commented 2010-06-08 05:19:54 +00:00
Copy Link

fixed by changeset:de95140b7b58b4b0, changeset:29a06457d25bcea8, changeset:2a791b0d05b8bab4.

Hm, note that the part about diminishing a read-write cap to a read-only cap when the no-write flag is set is an actual security restriction.

fixed by changeset:de95140b7b58b4b0, changeset:29a06457d25bcea8, changeset:2a791b0d05b8bab4. Hm, note that the part about diminishing a read-write cap to a read-only cap when the no-write flag is set *is* an actual security restriction.
zooko added the
fixed
 label 2010-06-08 05:19:54 +00:00
zooko closed this issue 2010-06-08 05:19:54 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels   
0.2.0

   
0.3.0

   
0.4.0

   
0.5.0

   
0.5.1

   
0.6.0

   
0.6.1

   
0.7.0

   
0.8.0

   
0.9.0

   
1.0.0

   
1.1.0

   
1.10.0

   
1.10.1

   
1.10.2

   
1.10a2

   
1.11.0

   
1.12.0

   
1.12.1

   
1.13.0

   
1.14.0

   
1.15.0

   
1.15.1

   
1.2.0

   
1.3.0

   
1.4.1

   
1.5.0

   
1.6.0

   
1.6.1

   
1.7.0

   
1.7.1

   
1.7β

   
1.8.0

   
1.8.1

   
1.8.2

   
1.8.3

   
1.8β

   
1.9.0

   
1.9.0-s3branch

   
1.9.0a1

   
1.9.0a2

   
1.9.0b1

   
1.9.1

   
1.9.2

   
1.9.2a1

   
LeastAuthority.com automation

   
blocker

   
cannot reproduce

   
cloud-branch

   
code

catch-all for anything that can be fixed by writing code but isn't classified better

  
code-dirnodes

anything involving tahoe directories

  
code-encoding

immutable-file encoding format/layout, cap format, encoding/decoding algorithms

  
code-frontend

general frontend things: new user-facing interfaces, FTP/SFTP servers, FUSE-like interfaces

  
code-frontend-cli

CLI tools

  
code-frontend-ftp-sftp

   
code-frontend-magic-folder

   
code-frontend-web

webapi interfaces, user-facing "WUI" interfaces

  
code-mutable

anything involving mutable files: encoding/decoding, share format

  
code-network

Introducer, locating storage servers, establishing/maintaining connections to them

  
code-nodeadmin

node startup/shutdown, tools to create nodes, logging tools, management/monitoring tools, manhole, disk-space-limiting tools

  
code-peerselection

server selection/sorting algorithm, rebalancing code, allocation policy, swarming-download

  
code-storage

storage-server implementation, share-storage directory layout, client-to-server share transfer protocol

  
contrib

problems with non-core things that live in the source:contrib/ directory

  
critical

   
defect

   
dev-infrastructure

things that help us build Tahoe: buildbot, automated speed/memory/code-coverage tests and results-displayers, IRC channels, mailing lists, this Trac instance

  
documentation

docs items. Also use 'docs' keyword on tickets in more specific components.

  
duplicate

   
enhancement

   
fixed

   
invalid

   
major

   
minor

   
n/a

   
normal

   
operational

things involved in running a tahoe grid, external tools to monitor/maintain a grid (like "nodeadmin" but larger-scale). Was also used for issues with the allmydata.com grid.

  
packaging

setup.py script, library dependencies, binary packages, licensing, installation instructions

  
somebody else's problem

   
supercritical

   
task

   
trivial

   
unknown

Uncategorized. All tickets default to this component until someone updates it.

  
was already fixed

   
website

things about the tahoe-lafs.org website (and sometimes this Trac instance, shared with 'dev-infrastructure')

  
wontfix

   
worksforme
No Label
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
Milestone
Clear milestone
No items
No Milestone
1.7.0
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Reference: tahoe-lafs/trac-2024-07-25#1063
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?