embed security metadata in parent directory #956
Labels
No Label
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
No Milestone
No Assignees
4 Participants
Notifications
Due Date
No due date set.
Reference: tahoe-lafs/trac-2024-07-25#956
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
#954 (revoke write authority), #955 (use client-side storage to defend against rollback attack) and not-yet-ticketed "LAFS 301 Moved Permanently" all involve a small fixed amount of metadata.
A "highest known version number" for a mutable file or directory, which according to #955 could be stored in a client to prevent that client from perceiving a rollback could also be stored in a parent directory which links to that mutable file or directory, thus preventing someone who accesses the file through that parent directory from seeing a rollback to a version earlier than the most recent known version when that child link was last updated.
A LAFS 301 Moved Permanently marker has to be stored in the shares with the file content itself, but it could also be copied into a parent directory that linked to that file, thus optimizing out a round trip to the old location and also preventing a rollback attack from undoing the Moved Permanently (from the perspective of someone accessing the file through that parent directory).
Likewise, a write-authority-revocation marker, a.k.a. a "petrification marker" has to live in the shares next to the file contents itself, but it could also be copied into a directory which links to that file, preventing rollback attack from unpetrifying the file (from the perspective of someone accessing the file through that parent directory).
#957 (embed security metadata in URL) is about the complementary feature of embedding this metadata in the URL itself.
Replying to zooko:
This can only be done when the client is writing to the directory anyway, since it might cause spurious UncoordinatedWriteErrors to perform directory writes that haven't been explicitly requested. Whenever we do write a directory, however, we can write the last-known-version for each of its children.
There is going to be a compatibility problem with doing this, since we don't (as far as I can see) have anywhere in the directory format to encode new fields that will be ignored by old clients. This will also be a problem with several other proposed features, including deep-verify caps as described in #308, and extensible directories suggested as part of #959.
Replying to [davidsarah]comment:2:
There is such a place -- the "metadata" associated with each link. That metadata can be supplied by the user through the wapi, but the special key
'tahoe'
cannot be written into by the user (any user-supplied keys in the'tahoe'
key are silently ignored); see [Adder.modify()]source:src/allmydata/dirnode.py?rev=4195#L78.Wouldn't a "last-known-version" update necessarily propagate all the way up to the rootcap? (since changing the metadata leading out of dirnodeA will update the contents of dirnodeA, so a new version, which needs to be updated in its parent, etc..). This might be a bit of a performance concern.
Also, the webapi code has thrown away the earlier dirnodes by the time it arrives at the terminal node (it only has the last parent and the target child). So we'd have to rejigger the webapi path-traversal code to keep a list of ancestor dirnodes or something to implement all-the-way-up-to-the-rootcap propagation.
Replying to warner:
Yes, if a client feels compelled to update all parent dirs that it knows point to a node once it has learned about a new highest-known-version for the node. But it could instead opportunistically update parent nodes only when it was going to write to them anyway. This is a trade-off between safety and performance, and I was imagining a design at the better-performane end of the trade-off, requiring no extra writes to parent nodes. If we keep the highest-known-version info persistently in the client (per #955) then there would sometimes be useful highest-known-version information available locally when we are about to write to a dirnode for other reasons.
Note that if you have #957 (embed security metadata in URL), then the opportunistic update form of this ticket becomes easy, because you can rewrite the URI of each child (assuming that the metadata is in the Tahoe URI proper, rather than a parameter to the webapi URL).
OTOH, writing it to the metadata (say as
tahoe:last_known_version
) of the directory entry would have better backward compatibility, since it wouldn't involve changing URI formats.Ticket retargeted after milestone closed (editing milestones)