[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?



On Mon, Apr 3, 2017 at 6:39 PM, dawuud <dawuud@xxxxxxxxxx> wrote:
>
>
> It's worth noting that controllers able to run SETCONF can ask the tor
> process to execute arbitrary programs:
>
>     man torrc | grep exec
>
> So if you want a controller to have any less privileges than the tor
> daemon does, you need a control port filter for SETCONF at the very
> least.

Yes, that is necessary.  I question, however, whether it is sufficient.

> Without a control port filter, what is the threat model of the
> ControlSocketsGroupWritable and CookieAuthFileGroupReadable options?

The same as with the rest of the control port: all authorized
controllers have full control over the Tor process.

(Not saying it's a _good_ threat model, but there it is.)

-- 
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev