Re: [tor-bugs] #17743 [Torsocks]: [torsocks] Detect elevated capability executables

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#17743: [torsocks] Detect elevated capability  executables
----------------------+--------------------------------
 Reporter:  shawnl    |          Owner:  dgoulet
     Type:  defect    |         Status:  needs_revision
 Priority:  Medium    |      Milestone:
Component:  Torsocks  |        Version:
 Severity:  Normal    |     Resolution:
 Keywords:            |  Actual Points:
Parent ID:            |         Points:
  Sponsor:            |
----------------------+--------------------------------
Changes (by teor):

 * status:  new => needs_revision
 * version:  Tor: unspecified =>


Comment:

 Code review:

 It looks like the patch passes $app_path to getcap before checking if it's
 the empty string. It should check "if [ -z $app_path ]; then" before
 calling getcap.

 Rather than hard-coding the path of getcap, why not locate it in the
 user's path using "which getcap"? (The script already does this for the
 command being torified ($1) at the top of the function.)

 This is a nitpick, but it's important for proper testing:

 Perhaps ping isn't a great example command here, as Tor is a TCP overlay
 network, and ping uses ICMP. (So torsocks could never work with ping, even
 if ping had no extra capabilities.)

 Can you give an example of a command with elevated privileges that uses
 TCP?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17743#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs