How about the following?: 1. Any FCP connection not from localhost is automatically set to untrusted mode. 2. The user may set a flag indicating that all connections are untrusted. 3. The user may create one or more username/password pairs for authorized access. These are kept in a file readable only by the user running the node: username:password:keywords
"keywords" contains a list of keywords (config, read-disk, write-disk, etc). I have considered specific limitations on where in the local filesystem files can be downloaded to / uploaded from. I'm not convinced that this is Freenet's job; if you have untrusted local users (and maybe even if you don't), you should run Freenet in a chroot. And if the attacker has filesystem access, he can create symlinks etc (which java cannot deal with). It is impossible for us to for example fork a subprocess which then setuid's to the user in question. So I say we shouldn't get into that, since we can't do it well. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20061102/d1285a84/attachment.pgp>
