[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-talk] Tor Browser Linux_don't extract to root
On 04/12/2017 03:23 AM, Jonathan Marquardt wrote:
Both methods (putting apps into global dirs vs. putting them into home
Jonathan - thanks. Other than automatically updating, what are the
advantages of installing to /home/user - or somewhere not root owned?
The other main disadvantage is, it makes TBB program files easily
accessible to malware, or anyone / thing w/ access to your machine,
after the user logs on.
have their own advantages and disadvantages.
Yes - technically /home/user. There is a separate "/home" under System
Files, but if there's only one user acct, then it contains the same
folders as clicking /home/user. AFAIK, for single user acct setup, the
only things under "/home" are user files & settings. Most accessible
by the acct user w/o a PW.
No, I don't mean "ordinary, non-malicious stuff" D/L through TBB. TBB
isn't 100% bullet proof - nor any other app. I mean malicious things
that could slip by, even via zero days. Zero days - maybe unlikely.
Other methods - apparently not terribly difficult.
That's why I said, "So anything that makes it past basic defenses of the
browser, NoScript, etc. - would
generally have r/w/x permissions on most TBB files in /home(/user)."
I assumed that was clear it implied malware, or a malicious sites, or
adversary - say, trying to modify TBB program files, etc. Not ordinary
websites, following the rules.
Again, IIUC, "malware" making it past browser & NoScript defenses and AV
- if using one, has far easier access to TBB program files than apps
installed to limited permissions directories. TBB files are less
protected than a normal browser installed from repositories, or even
installed manually to say, /opt.
That's the part I don't understand - why TorProject seems to encourage
lessening some of Linux security, rather than increasing it.
Perhaps if Tor Project doesn't want to set up a PPA (and guard, monitor
it) - so TBB can auto-update, they should include a sort of "Tor / TBB
file checker" - to monitor for changed files that shouldn't change,
unless from updates.
Seems logical to create a PPA. They could / should check signatures -
automatically - when the updates / installs finish downloading from the
PPA, before installing.
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to