[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-bugs] #7956 [Tor]: Tor uses Roaming (remote) AppData, not Local
#7956: Tor uses Roaming (remote) AppData, not Local
-------------------------------------------+--------------------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version: Tor: unspecified
Keywords: AppData Roaming Local Windows | Parent:
Points: | Actualpoints:
-------------------------------------------+--------------------------------
[First tor-bug post, hope I got this right...]
The Windows tor.exe -- all current versions, standalone expert bundle and
TBB/etc bundles -- has outdated Windows Explorer COM interface code to get
the user's %APPDATA% location. This location can be local or roaming
(remote).
Remote data gives many more opportunities for adversaries to mess with Tor
Windows users, especially when they are using a domained enterprise.
The solution is below. Until this is fixed, Windows Tor users should never
use Tor on a Windows network.
The Windows version of Tor calls the Windows Explorer 'shell' special
folder COM APIs, to obtain the location for %APPDATA%. App data can be
local or roaming.
On my box, %USERPROFILE%\AppData\* has 3 directories where apps install
files, Local, LocalLow, and Roaming, where about 55% of the apps use
Local, 5% uses LocalLow, and 40% use Remote.
Tor uses Roaming ("%USERPROFILE%\AppData\Roaming\tor).
Roaming means that it gets remoted to other systems, which is probably a
bad thing for Tor user data. The point of Roaming profiles is to let user
data migrate to multiple boxes, and the remoting of that data happens with
SMBs. So, Remote user data might be sniffable over the network, hopefully
this is encrypted.
Depending on how enterprise is configured, Remote user data also
probably means replication/backups of that data in the domain
controller's Active Directory box. So the user's Tor data is available
over multiple SMB hosts, making things easier for attackers.
This bug was probably added to Tor in 0.2.1.11-alpha - 2009-01-20:
----snip----
- Add a new --enable-local-appdata configuration switch to change
the default location of the datadir on win32 from APPDATA to
LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
entirely. Patch from coderman.
----snip----
Tor explicitly checks the location. in or/config.c's
get_windows_conf_root(), in it's use of the Windows Explorer COM APIs
SHGetSpecialFolderLocation() and SHGetPathFromIDList(), using this
definition of the APP_DATA flag:
----snip----
/* Find X:\documents and settings\username\application data\ .
* We would use SHGetSpecialFolder path, but that wasn't added
* until IE4.
*/
#ifdef ENABLE_LOCAL_APPDATA
#define APPDATA_PATH CSIDL_LOCAL_APPDATA
#else
#define APPDATA_PATH CSIDL_APPDATA
#endif
----snip----
First, this comment is wrong on many levels. It begins with "X:" (instead
of "C:") which would likely be remote, not local. It talks about IE4
which shipped aeons ago, maybe time to revisit this hesitation. And you
you *do* use this COM API, anyway.
I am pretty sure that it is the above definitions that're causing you to
install the Roaming data location on my Win7 box.
CSIDL_LOCAL_APPDATA == FOLDERID_LocalAppData
CSIDL_APPDATA == FOLDERID_RoamingAppData
I am not great at Autotools, but I don't believe anyone is setting
ENABLE_LOCAL_APPDATA, so the directive might be 0. It is defined/used in
config.ac and orconfig.h.in.
----snip----
/* Defined if we default to host local appdata paths on Windows */
#undef ENABLE_LOCAL_APPDATA
----snip----
I don't understand why this Windows-centric feature needs to be abstracted
with GNU/autotools in the first place. Can Erin's Mac OSX-based, MinGW
cross-compiled Autotools determine that I'm running WinXP or Win7, etc?
This abstraction, using legacy APIs, is probably why this bug has been
there since 2009.
Tor already abstracts this Windows-centric code into it's own function, it
would be clearer if you removed all the autotools absraction to the
Windows Special Folder COM API that Tor uses, IMO.
Also, this function doesn't check this return code, and assumes to be
true:
strlcpy(p,get_windows_conf_root(),MAX_PATH);
Also, in this Windows-centric error codepath, there is no warning to the
user, AFAICT:
if (!SUCCEEDED(result)) {
return NULL;
}
Also, elsewhere in get_windows_conf_root(), there are 2 comments, with
potentially-open questions. Here are updated comments stated more clearly.
Replace:
/* Convert the path from an "ID List" (whatever that is!) to a path. */
with:
/* Windows Explorer, aka 'Windows 'shell', uses IDLists to access various
things, including special folders. We need to convert this COM-based
explorer-centric array list to a Windows path. */
And replace:
/* Now we need to free the memory that the path-idl was stored in.
* In typical Windows fashion, we can't just call 'free()' on it. */
with:
/* Windows explorer special folders APIs are COM APIs, not Win32 or C
runtime library calls. To use special folders, we have to use the COM
memory mgmt APIs, to allocate, and now release that memory. Read the SDK
ShObj.h or MSDN for more info. */
Note also that you are using legacy, deprecated version of the Special
folders API, there have been revisions, apparently during Vista and Win7.
The newer API has more features than the one you're using, including the
local/roaming granularity. I think f you explicitly stick to local data, I
think you can stick with legacy APIs.
You can't just test this with one version of Windows, you'll need to test
with each version you are supporting.
More info:
http://msdn.microsoft.com/en-
us/library/windows/desktop/bb762181%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-
us/library/windows/desktop/dd378457%28v=vs.85%29.aspx
http://msdn.microsoft.com/en-
us/library/windows/desktop/bb762494%28v=vs.85%29.aspx
http://technet.microsoft.com/en-us/library/cc766489.aspx
http://msdn.microsoft.com/en-
us/library/windows/desktop/bb776779%28v=vs.85%29.aspx
http://www.blogtechnika.com/what-is-application-data-folder-in-windows-7/
http://superuser.com/questions/150012/what-is-the-difference-between-
local-and-roaming-folders
http://superuser.com/questions/21458/why-are-there-directories-called-
local-locallow-and-roaming-under-users-user
http://social.technet.microsoft.com/Forums/en/w7itprogeneral/thread/b4fd7ac2-8ad9-4a06-8c28-3f7993aa0272
http://blogs.technet.com/b/fdcc/archive/2009/07/08/fdcc-vista-application-
development-requirements.aspx
http://social.msdn.microsoft.com/Forums/en/windowsgeneraldevelopmentissues/thread/8fa38285-e4f5-43f9
-ab0b-8fe184d476f9
http://technet.microsoft.com/en-us/library/cc778976.aspx
Thanks,
Lee
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7956>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs