This occurred to me this morning and I *think* it might be useful.
The dirty truth is that for the forseeable future many users will continue to
leave authentication disabled in the interests of just getting things
working, no matter how hard controllers try to force it down their throats
and no matter how hard tor chides them for not enabling it.
While we're all still 'getting there', controllers could have the option of
locking the control port if no auth mechanism is enabled, and even when it
is. Given that users tend not to share installations and most run their
controller concurrently with tor at all times this would be a useful fallback
measure.
Patch below. Seems to work fine, though haven't tested it to death.
Index: src/or/control.c
===================================================================
--- src/or/control.c (revision 11907)
+++ src/or/control.c (working copy)
@@ -75,6 +75,8 @@
static int authentication_cookie_is_set = 0;
static char authentication_cookie[AUTHENTICATION_COOKIE_LEN];
+static int controlport_locked = 0;
+
#define SHORT_NAMES 1
#define LONG_NAMES 2
#define ALL_NAMES (SHORT_NAMES|LONG_NAMES)
@@ -2553,6 +2555,13 @@
tor_assert(conn->_base.state == CONTROL_CONN_STATE_OPEN ||
conn->_base.state == CONTROL_CONN_STATE_NEEDAUTH);
+ if (conn->_base.state == CONTROL_CONN_STATE_NEEDAUTH &&
+ controlport_locked) {
+ connection_write_str_to_buf("514 Control Port Locked by Other User.\r\n",
conn);
+ connection_mark_for_close(TO_CONN(conn));
+ return 0;
+ }
+
if (!conn->incoming_cmd) {
conn->incoming_cmd = tor_malloc(1024);
conn->incoming_cmd_len = 1024;
@@ -2640,6 +2649,7 @@
/* Quit is always valid. */
if (!strcasecmp(conn->incoming_cmd, "QUIT")) {
+ controlport_locked = 0;
connection_write_str_to_buf("250 closing connection\r\n", conn);
connection_mark_for_close(TO_CONN(conn));
return 0;
@@ -2711,6 +2721,12 @@
} else if (!strcasecmp(conn->incoming_cmd, "PROTOCOLINFO")) {
if (handle_control_protocolinfo(conn, data_len, args))
return -1;
+ } else if (!strcasecmp(conn->incoming_cmd, "LOCK")) {
+ controlport_locked = 1;
+ connection_printf_to_buf(conn, "250 OK\r\n");
+ } else if (!strcasecmp(conn->incoming_cmd, "UNLOCK")) {
+ controlport_locked = 0;
+ connection_printf_to_buf(conn, "250 OK\r\n");
} else {
connection_printf_to_buf(conn, "510 Unrecognized command \"%s\"\r\n",
conn->incoming_cmd);
Index: doc/spec/control-spec.txt
===================================================================
--- doc/spec/control-spec.txt (revision 11907)
+++ doc/spec/control-spec.txt (working copy)
@@ -813,6 +813,22 @@
[PROTOCOLINFO was not supported before Tor 0.2.0.5-alpha.]
+3.22. LOCK/UNLOCK
+
+ The syntax is:
+ "LOCK" CRLF
+ "UNLOCK" CRLF
+
+ The server reply format is:
+ "250 OK" CRLF
+
+ The "LOCK" command prevents anyone else from interacting with Tor through
the
+ control port while the current session is open. Controllers should use this
+ command when Tor is not configured with an authentication mechanism by the
user.
+ When this command is used other users will receive the message '514 Control
Port
+ Locked by Other User' when they attempt to authenticate.
+ The "UNLOCK" command opens the control port to other users again.
+
4. Replies
Reply codes follow the same 3-character format as used by SMTP, with the
Attachment:
signature.asc
Description: This is a digitally signed message part.