[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] restricting output to the tor process, when using Tor browser

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] restricting output to the tor process, when using Tor browser
From: Mirimir <mirimir@xxxxxxxxxx>
Date: Tue, 28 Jan 2020 17:09:00 -0700
Autocrypt: addr=mirimir@xxxxxxxxxx; prefer-encrypt=mutual; keydata= xsBNBFEN49cBCADWl1VZKYO8L+f/65G2nBWzh41VTAZDcJSxMWXrBSvpJzzLt6sJf0L0Rjmy W4VPxJMCm/32auRAp8Xx1iNmBpvYENSM1YJVWfk43tlSOY8CR3TVODMxWPhUu48Pb9OKSntz WHGwdZmOr14zF9vr4PaS9A6+Hyt9FPKuGcQFw7K8jK1Hpp5XgdY/DMHKeaJykJ8JH1HBTFTT OJdxIWu6cZ+spNaNfKdnNjk98hMPw69isVGzcm7b3lJUsjVnMSqnrtZ8CSIv1njyxJH7NB5n LzrE7EiXR37k+4Poc9/DeLSAKrq5N3ZMpX1EDOoXFa8lLVGWHBTwVN/tl7FLM0NmVuL5ABEB AAHNHG1pcmltaXIgPG1pcmltaXJAcmlzZXVwLm5ldD7CwIEEEwECACsCGyMGCwkIBwMCBhUI AgkKCwQWAgMBAh4BAheAAhkBBQJafNQ7BQkNMVdkAAoJEGINZVEXwuQ+5LoIAKyZQDkNqj+Y E26o1bdEQlmOLhhXev45euNCnaFrnbOyKLivHdF4vvXyWBTzJmCsoRxTJ0A3Zmwa3ZihbKaU FCAdRgspLfA+TGICVYOztB+faWV18k5OTCk7ZiBQ/mOMQA4p3RPOV+UCgdelvZRHrFdUgHro dho/FqZhRoPdsPPB08QBisDO7SfFMMe9U9EZ03n4f2TvMgaTjK/kZCopwgLj2nB11SnCYfWJ jxUFDs+VFObf/jSK8T0SX9O6p430NWZm30vutUVac9lfodMjBcJqTnFxmZrwQomlCYGvSqNw 4Xy5+/gBzv/flXHngQSU053smHRtrMlGK5OU1RSixDfOwE0EUQ3j1wEIAMDcexhcaIO5jpl+ SHM14zuBvF2QG61IpH4Lag6nQmSMTljizuJg2kLaLbfc69AxmjuL5obqYi5ywXn4kQKqiwfa OHvVlKn662/J5YgXuc8tRLyqvgb+hibtAnlhWAuusP0eoQQP6SAASRjtrb8RVapTzJXy2Snf PtkcdtkTLLLcyeGoDOkpPkspnnp8avvI9ayzhGFLg9qNWaIuBMudxT6oHK4rZH+Sv6km9viI /ziV6E8Z+PpvMsGdebeYBLQA7ueuTbyOGbDyProwvocrKynI/UM40VYS8bS1PjWtljUlj7Vx 8C/746hnfdge0m24jnaWfu5UDjwpsHzs/JXqklsAEQEAAcLAZQQYAQIADwIbDAUCWnzURgUJ DTFXbwAKCRBiDWVRF8LkPsCjCACNvnnmpcDwEbtXUFZD/+ewNlPfM9o0mIXgi7DIVR9MVCw/ u14+mJUlQny4jPRV+hv/erjbiqEcVPZ296J3I4kUvO4slI+ZyODsRQSzwMz6ihwC6nN1xove YSBzVKKQrV+FDHVk6dJVLtgPdewOR9ZAar7mEbCLTJZ/e5aVb+NrlC1jWx3V3mMGCKOsEHhu 97cu3AswlxhzqPjczTo3rjtcfxdjeGU6mIEEAlhUlVDdfbGLODIyCXrP39zYxYXFFpVcbGAu +cndl1AQkIXUiMoJuzTMU8TQ+zz8yLof9fB7Y8O8VbmZBPQqN2IiHPeGbfqZjk/uHjJQUayI +beL0kxL
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 28 Jan 2020 19:09:20 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1580256544; bh=PbS3/niE5vhGbJe69vevpZUVBi+aSSRiXVUaP9m1s+I=; h=Subject:To:References:From:Date:In-Reply-To:From; b=E19KaVykg8b68E+QOpatlh8NtHzWLbaWtOfM31D00dLdbXuJDTdNaL9EkeclGf1Ro l+eBm4f8fWH901hkZMRKnkR98yvJAG2L+hjhHc8apkLMYxXB92mSlkUYJGbbdmCljp WMVPwG76c7pEE0IEEiDhAs4+15TFgnVDXicBD95k=
In-reply-to: <20200128112134.qfwsaj24dljtulg7@mars-attacks.org>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Openpgp: preference=signencrypt
References: <f6b65c60-fe86-cecc-99dd-0a216a981534@riseup.net> <20200128112134.qfwsaj24dljtulg7@mars-attacks.org>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>

On 01/28/2020 04:21 AM, Nicolas Vigier wrote:
> On Mon, 27 Jan 2020, Mirimir wrote:
> 
>> But, in a Debian VM running Tor browser, I found that the tor process is
>> running as the login user. And so iptables is totally useless.
>>
>> However, it's apparently easy to start Tor browser as its own user,
>> using Micah Lee's torbrowser-launcher.[0] Is that a prudent solution?
>>
>> 0)
>> https://medium.com/@jamesmacwhite/running-the-tor-browser-on-kali-linux-the-proper-way-d33a38b54e96
> 
> I think what is on this page does not solve your issue as they run both
> the browser and the tor daemon (started by the browser) as the same user.

Oh, right. So I could allow output by whatever uid-owner I created, and
block all other users. That would prevent random malware from bypassing
Tor. But it wouldn't prevent compromised Tor browser from doing it.

So somehow I just need to have the tor process run as a unique user.

I created a user tbtor as described in the post that I cited, and tried
tweaking the Tor browser torrc:

> User tbtor

But the tor process crashes. I'm guessing that this is breaking the
process of starting as root, and dropping capabilities. But I'm not
sure, and in any case don't know how to fix it.

> What you can do is run tor using the debian tor package, and configure
> Tor Browser to use the system tor daemon (instead of starting its own):
> https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#UsinganExistingTorProcess

I've read in Tor.SE that the Tor browser torrc is optimized. So using
tor with default torrc is less anonymous. I suppose that one could just
use the Tor browser torrc. But I guess that I'll play with it.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] restricting output to the tor process, when using Tor browser
  - From: Mirimir
- Re: [tor-talk] restricting output to the tor process, when using Tor browser
  - From: Nicolas Vigier

Prev by Author: [tor-talk] restricting output to the tor process, when using Tor browser
Next by Author: [tor-talk] Tor 0.4.3.1-alpha is released!
Previous by thread: Re: [tor-talk] restricting output to the tor process, when using Tor browser
Next by thread: [tor-talk] Are "StrictNodes 1" actually strict?
Index(es):
- Author
- Thread