[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?
From: Nick Mathewson <nickm@xxxxxxxxxxxx>
Date: Tue, 4 Apr 2017 08:13:18 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 04 Apr 2017 08:13:44 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to; bh=cSz7FvB2HRINBCZ1DEbYWFh9+umSaiHfG9/Mu/ibOzQ=; b=Se33JwzD9gdMZ7AXCAdyoaK53T5BmiST3huJQ6DGDEasEanXtPGMChoSJ0YurDxbKK diwt/RGMEAaW60VgFM1hWgzu36yvb7NrE4mXGTWiaQooeA5QWNyOCHcwxJ/kgXQydRC4 Wi99jOAfIeOlx2H0NCS0GIRRU/tKedKc6Yt6aXpILnChQLSWXaWvvkb4agpCGsSeFBP3 b9QijP4bt0uhCXW/+2fV7qqlGBjvXxjwu3wpVGoIdGaKmhU1TC9x3yt+fF/PADYk3WUM v9y3Tw50SPo2EIx91FChepRD2eAGXCvhyL6Et/hyxzVxPJtmQfqOual1i+vmjVbkEQjM lH7A==
In-reply-to: <20170403223914.GA14920@riseup.net>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuxh5pT8JyRFfuFi7xiOQs1_LacH60BmPkmrycfDp_piFA@mail.gmail.com> <20170403223914.GA14920@riseup.net>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

On Mon, Apr 3, 2017 at 6:39 PM, dawuud <dawuud@xxxxxxxxxx> wrote:
>
>
> It's worth noting that controllers able to run SETCONF can ask the tor
> process to execute arbitrary programs:
>
>     man torrc | grep exec
>
> So if you want a controller to have any less privileges than the tor
> daemon does, you need a control port filter for SETCONF at the very
> least.

Yes, that is necessary.  I question, however, whether it is sufficient.

> Without a control port filter, what is the threat model of the
> ControlSocketsGroupWritable and CookieAuthFileGroupReadable options?

The same as with the rest of the control port: all authorized
controllers have full control over the Tor process.

(Not saying it's a _good_ threat model, but there it is.)

-- 
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Follow-Ups:
- Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?
  - From: dawuud

References:
- [tor-dev] Control-port filtering: can it have a reasonable threat model?
  - From: Nick Mathewson
- Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?
  - From: dawuud

Prev by Author: [tor-dev] Tor 0.3.1 ticket triage: please do this today if you hack on Tor.
Next by Author: Re: [tor-dev] [prop269] [prop270] Ideas from Tor Meeting Discussion on Post-Quantum Crypto
Previous by thread: Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?
Next by thread: Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?
Index(es):
- Author
- Thread