What to do about dangerous FCP commands? Is it reasonable to have the user set a password? FCP is normally only accessible from localhost, but even so, any security breach ever anywhere and we will be held responsible for the rest of time.
Examples: - FCP quit command. - Changing config variables via FCP. - Uploading from a file on disk. (Saves the transfer, saves significant disk space in the form of temp files) - Downloading to a file on disk. (Lets us put most of the temporary data where it should be, on the destination device; also provides a simple and useful no-feedback-required download, and replicates 0.5 fproxy *and* frost/fuqid functionality). - Arguably any FCP is dangerous as you can do timings to probe the cache and figure out what people have been browsing etc. Public FCP should not only be locked down, it should be on a node that nobody uses for anything else. Especially with downloading a file to disk, there is a definite problem. Is it a big deal? On a well-configured multi-user system freenet will run as its own user and therefore will not be able to read or overwrite /etc/shadow (for example), even with a symlink attack... IMHO downloading just to freenet-downloads would be unsatisfactory. If this is not writable by clients then they cannot remove files and we may as well download to internal temp files. And also, it means yet more dedicated space for Freenet itself rather than for My Collection Of Subversive Videos, which is bad. What's best? An optional password, entered at install time, plus these are disabled from non-localhost, plus a config flag to disable completely? -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20060202/d4030ab0/attachment.pgp>
