On Thu, Nov 02, 2006 at 10:21:29PM +0100, bbackde at googlemail.com wrote: > 1-3: great, a clear solution for the points I had! > > A GO from me :) > > Restricted file system access (by directory) would be nice to have and > imho not to hard to implement.
It's not hard to implement a version that doesn't provide any actual security in a lot of scenarios. I.e.: Uploads and downloads are limited to downloads/ Each user has a subdir within downloads/ that they can read from, write to, delete files in, etc. So can the node. So all the Bad Guy has to do is this: ln -s [ some file freenet has access to that i don't ] [ my download directory / some file ] And then upload it. I suppose this isn't really a threat, because Freenet should run as an unprivelidged user on a multi-user system; even if it isn't chrooted, it should have less access than any average user. So we should support download directory restrictions, even though there is some conceivable risk from symlinks? Note that we cannot *overwrite* files in any case. > Nice to have because the solutions you > mention for this problem are really not a windows users daily job > (even I do what all do: run as Administrator user and freenet + > clients do run under my user as well *g*). Windows XP home does not > have a user management or file system permissions at all (?)... It has support for multiple accounts. > So > some easy dialog/option to setup a restricted file system access (e.g. > as in the user interface of the filezilla ftp server) would be great. > I mention the filezilla user interface because I do not know if you > unix users know about such dialogs, I assume you edit some obscure > config files with vi or emacs... ;) Hah. That's why it's all web interface. Web interface is portable. :) > > > On 11/2/06, toad <toad at amphibian.dyndns.org> wrote: > >How about the following?: > > > >1. Any FCP connection not from localhost is automatically set to > >untrusted mode. > >2. The user may set a flag indicating that all connections are > >untrusted. > >3. The user may create one or more username/password pairs for > >authorized access. These are kept in a file readable only by the user > >running the node: > >username:password:keywords > > > >"keywords" contains a list of keywords (config, read-disk, write-disk, > >etc). > > > >I have considered specific limitations on where in the local filesystem > >files can be downloaded to / uploaded from. I'm not convinced that this > >is Freenet's job; if you have untrusted local users (and maybe even if > >you don't), you should run Freenet in a chroot. And if the attacker has > >filesystem access, he can create symlinks etc (which java cannot deal > >with). It is impossible for us to for example fork a subprocess which > >then setuid's to the user in question. So I say we shouldn't get into > >that, since we can't do it well. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20061102/102b8eaf/attachment.pgp>
