2008-06-10 23:24:25 +00:00
|
|
|
= Known Issues =
|
|
|
|
|
2008-12-30 07:52:26 +00:00
|
|
|
Below is a list of known issues in recent releases of Tahoe-LAFS, and how to
|
|
|
|
manage them. The current version of this file can be found at
|
2008-07-22 01:02:49 +00:00
|
|
|
|
|
|
|
http://allmydata.org/source/tahoe/trunk/docs/known_issues.txt
|
|
|
|
|
2008-12-30 07:52:26 +00:00
|
|
|
Older versions of this document describing issues in older versions of
|
|
|
|
Tahoe-LAFS can be found at
|
|
|
|
|
|
|
|
http://allmydata.org/source/tahoe/trunk/docs/historical/historical_known_issues.txt
|
2008-07-22 01:02:49 +00:00
|
|
|
|
|
|
|
== issues in Tahoe v1.2.0, released 2008-06-21 ==
|
|
|
|
|
2008-12-30 08:01:16 +00:00
|
|
|
=== issue 1: potential disclosure of a file through embedded
|
|
|
|
hyperlinks or JavaScript in that file ===
|
|
|
|
|
|
|
|
If there is a file stored on a Tahoe storage grid, and that file gets
|
|
|
|
downloaded and displayed in a web browser, then JavaScript or
|
|
|
|
hyperlinks within that file can leak the capability to that file to a
|
|
|
|
third party, which means that third party gets access to the file.
|
|
|
|
|
|
|
|
If there is JavaScript in the file, then it could deliberately leak
|
|
|
|
the capability to the file out to some remote listener.
|
|
|
|
|
|
|
|
If there are hyperlinks in the file, and they get followed, then
|
|
|
|
whichever server they point to receives the capability to the
|
|
|
|
file. Note that IMG tags are typically followed automatically by web
|
|
|
|
browsers, so being careful which hyperlinks you click on is not
|
|
|
|
sufficient to prevent this from happening.
|
|
|
|
|
|
|
|
==== how to manage it ====
|
|
|
|
|
|
|
|
For future versions of Tahoe, we are considering ways to close off
|
|
|
|
this leakage of authority while preserving ease of use -- the
|
|
|
|
discussion of this issue is ticket #127.
|
|
|
|
|
|
|
|
For the present, a good work-around is that if you want to store and
|
|
|
|
view a file on Tahoe and you want that file to remain private, then
|
|
|
|
remove from that file any hyperlinks pointing to other people's
|
|
|
|
servers and remove any JavaScript unless you are sure that the
|
|
|
|
JavaScript is not written to maliciously leak access.
|
|
|
|
|
|
|
|
|
2008-07-22 01:02:49 +00:00
|
|
|
=== issue 10: command-line arguments are leaked to other processes ===
|
|
|
|
|
|
|
|
Remember that command-line arguments are visible to other users
|
|
|
|
(through the 'ps' command, or the windows Process Explorer tool), so
|
|
|
|
if you are using a Tahoe node on a shared host, other users on that
|
|
|
|
host will be able to see (and capture) any directory caps that you set
|
|
|
|
up with the "tahoe add-alias" command.
|
|
|
|
|
|
|
|
==== how to manage it ====
|
|
|
|
|
|
|
|
Bypass add-alias and edit the NODEDIR/private/aliases file directly,
|
|
|
|
by adding a line like this:
|
|
|
|
|
|
|
|
fun: URI:DIR2:ovjy4yhylqlfoqg2vcze36dhde:4d4f47qko2xm5g7osgo2yyidi5m4muyo2vjjy53q4vjju2u55mfa
|
|
|
|
|
|
|
|
By entering the dircap through the editor, the command-line arguments are
|
|
|
|
bypassed, and other users will not be able to see them. Once you've added the
|
|
|
|
alias, no other secrets are passed through the command line, so this
|
|
|
|
vulnerability becomes less significant: they can still see your filenames and
|
|
|
|
other arguments you type there, but not the caps that Tahoe uses to permit
|
2008-12-30 07:52:26 +00:00
|
|
|
access to your files and directories. In Tahoe v1.3.0, there is a new
|
|
|
|
"tahoe create-aliase" command that does this for you.
|
2008-06-10 23:24:25 +00:00
|
|
|
|
|
|
|
|
2008-06-11 19:40:33 +00:00
|
|
|
== issues in Tahoe v1.1.0, released 2008-06-11 ==
|
2008-06-10 23:24:25 +00:00
|
|
|
|
2008-07-22 01:02:49 +00:00
|
|
|
=== issue 9: more than one file can match an immutable file cap ===
|
2008-07-21 17:21:01 +00:00
|
|
|
|
2008-12-30 08:01:16 +00:00
|
|
|
In Tahoe v1.0 and v1.1, a flaw in the cryptographic integrity check
|
2008-07-21 17:21:01 +00:00
|
|
|
makes it possible for the original uploader of an immutable file to
|
|
|
|
produce more than one immutable file matching the same capability, so
|
|
|
|
that different downloads using the same capability could result in
|
|
|
|
different files. This flaw can be exploited only by the original
|
|
|
|
uploader of an immutable file, which means that it is not a severe
|
2008-07-21 17:44:06 +00:00
|
|
|
vulnerability: you can still rely on the integrity check to make sure
|
2008-07-21 17:21:01 +00:00
|
|
|
that the file you download with a given capability is a file that the
|
2008-07-21 17:44:06 +00:00
|
|
|
original uploader intended. The only issue is that you can't assume
|
|
|
|
that every time you use the same capability to download a file you'll
|
|
|
|
get the same file.
|
2008-07-21 17:21:01 +00:00
|
|
|
|
|
|
|
==== how to manage it ====
|
|
|
|
|
2008-07-22 01:02:49 +00:00
|
|
|
This was fixed in Tahoe v1.2.0, released 2008-07-21, under ticket
|
2008-07-21 17:21:01 +00:00
|
|
|
#491. Upgrade to that release of Tahoe and then you can rely on the
|
|
|
|
property that there is only one file that you can download using a
|
2008-12-30 08:01:16 +00:00
|
|
|
given capability. If you are still using Tahoe v1.0 or v1.1, then
|
2008-07-21 17:21:01 +00:00
|
|
|
remember that the original uploader could produce multiple files that
|
|
|
|
match the same capability, so for example if someone gives you a
|
|
|
|
capability, and you use it to download a file, and you give that
|
|
|
|
capability to your friend, and he uses it to download a file, you and
|
|
|
|
your friend could get different files.
|
|
|
|
|
|
|
|
|
|
|
|
=== issue 8: server out of space when writing mutable file ===
|
2008-06-10 23:24:25 +00:00
|
|
|
|
2008-12-30 08:01:16 +00:00
|
|
|
If a v1.0 or v1.1 storage server runs out of disk space or is
|
2008-06-11 19:38:57 +00:00
|
|
|
otherwise unable to write to its local filesystem, then problems can
|
|
|
|
ensue. For immutable files, this will not lead to any problem (the
|
|
|
|
attempt to upload that share to that server will fail, the partially
|
|
|
|
uploaded share will be deleted from the storage server's "incoming
|
|
|
|
shares" directory, and the client will move on to using another
|
|
|
|
storage server instead).
|
2008-06-10 23:37:25 +00:00
|
|
|
|
|
|
|
If the write was an attempt to modify an existing mutable file,
|
|
|
|
however, a problem will result: when the attempt to write the new
|
2008-06-11 19:38:57 +00:00
|
|
|
share fails (e.g. due to insufficient disk space), then it will be
|
|
|
|
aborted and the old share will be left in place. If enough such old
|
|
|
|
shares are left, then a subsequent read may get those old shares and
|
|
|
|
see the file in its earlier state, which is a "rollback" failure.
|
|
|
|
With the default parameters (3-of-10), six old shares will be enough
|
|
|
|
to potentially lead to a rollback failure.
|
2008-06-10 23:24:25 +00:00
|
|
|
|
|
|
|
==== how to manage it ====
|
|
|
|
|
2008-06-10 23:37:25 +00:00
|
|
|
Make sure your Tahoe storage servers don't run out of disk space.
|
|
|
|
This means refusing storage requests before the disk fills up. There
|
|
|
|
are a couple of ways to do that with v1.1.
|
|
|
|
|
|
|
|
First, there is a configuration option named "sizelimit" which will
|
|
|
|
cause the storage server to do a "du" style recursive examination of
|
|
|
|
its directories at startup, and then if the sum of the size of files
|
|
|
|
found therein is greater than the "sizelimit" number, it will reject
|
|
|
|
requests by clients to write new immutable shares.
|
|
|
|
|
|
|
|
However, that can take a long time (something on the order of a minute
|
|
|
|
of examination of the filesystem for each 10 GB of data stored in the
|
|
|
|
Tahoe server), and the Tahoe server will be unavailable to clients
|
|
|
|
during that time.
|
|
|
|
|
|
|
|
Another option is to set the "readonly_storage" configuration option
|
|
|
|
on the storage server before startup. This will cause the storage
|
|
|
|
server to reject all requests to upload new immutable shares.
|
|
|
|
|
|
|
|
Note that neither of these configurations affect mutable shares: even
|
|
|
|
if sizelimit is configured and the storage server currently has
|
|
|
|
greater space used than allowed, or even if readonly_storage is
|
|
|
|
configured, servers will continue to accept new mutable shares and
|
|
|
|
will continue to accept requests to overwrite existing mutable shares.
|
|
|
|
|
|
|
|
Mutable files are typically used only for directories, and are usually
|
|
|
|
much smaller than immutable files, so if you use one of these
|
|
|
|
configurations to stop the influx of immutable files while there is
|
|
|
|
still sufficient disk space to receive an influx of (much smaller)
|
|
|
|
mutable files, you may be able to avoid the potential for "rollback"
|
|
|
|
failure.
|
2008-06-10 23:24:25 +00:00
|
|
|
|
|
|
|
A future version of Tahoe will include a fix for this issue. Here is
|
2008-06-10 23:37:25 +00:00
|
|
|
[http://allmydata.org/pipermail/tahoe-dev/2008-May/000630.html the
|
|
|
|
mailing list discussion] about how that future version will work.
|
2008-06-10 23:24:25 +00:00
|
|
|
|
|
|
|
|
2008-07-21 17:21:01 +00:00
|
|
|
=== issue 7: pyOpenSSL/Twisted defect causes false alarms in tests ===
|
2008-06-10 23:24:25 +00:00
|
|
|
|
2008-12-30 08:01:16 +00:00
|
|
|
The combination of Twisted v8.0 or Twisted v8.1 with pyOpenSSL v0.7
|
|
|
|
causes the Tahoe v1.1 unit tests to fail, even though the behavior of
|
|
|
|
Tahoe itself which is being tested is correct.
|
2008-06-10 23:24:25 +00:00
|
|
|
|
|
|
|
==== how to manage it ====
|
|
|
|
|
2008-12-30 08:01:16 +00:00
|
|
|
If you are using Twisted v8.0 or Twisted v8.1 and pyOpenSSL v0.7, then
|
|
|
|
please ignore ERROR "Reactor was unclean" in test_system and
|
|
|
|
test_introducer. Upgrading to a newer version of Twisted or pyOpenSSL
|
|
|
|
will cause those false alarms to stop happening (as will downgrading
|
|
|
|
to an older version of either of those packages).
|