On 2/2/2011 2:10 PM, Brian Warner wrote: > On 2/1/11 5:36 PM, Greg Troxel wrote: >> Removal of CLI and WUI, and using only FUSE. This is the aspeect I'm >> most in favor of. > > My problem with FUSE as the primary entry point is that it loses the > whole least-authority model. The POSIX filesystem APIs don't expose > things like retrieving a dircap for the subdirectory that you want to > share with a friend, so the easiest thing to do is to share your whole > rootcap with somebody, the equivalent of sharing passwords from the > bad-old-days.
Why can't you use POSIX extended attributes for this feature? % mount-pubgrid % cd /home/scott/pubgrid/shared_with_brian % attr -g writecap . URI:DIR2:xxx...:yyy... % attr -g readcap . URI:DIR2-RO:xxx...:yyy... % attr -g verifycap . URI:DIR2-Verifier:xxx...:yyy... FUSE has getxattr, and Tahoe-LAFS doesn't support storing extended attributes, so the extended attribute namespace seems ripe for use for this purpose (and perhaps other non-standard interface needs?). > It also doesn't let you write programs that are restricted > to interacting with just a subset of your filesystem, so all the usual > Confused Deputy vulnerabilities are still around. I'm not sure how you would do that currently that isn't completely equivalent to mounting a dircap (and using traditional POSIX filesystem security techniques) for that program. -- Scott Dial [email protected] [email protected] -- Scott Dial [email protected] [email protected] _______________________________________________ tahoe-dev mailing list [email protected] http://tahoe-lafs.org/cgi-bin/mailman/listinfo/tahoe-dev
