[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-relays] T-shirts and Confirming Relay Control
On Sun, 3 May 2015, Matthew Finkel wrote:
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
Please don't get in the habit of asking relay operators through e-mail to
run complex bash command lines as root. As a security practice, this is
terrible. (How do you know the suggested command wasn't altered before it
reached its recipient?)
If you want to build a utility for this into the tor distribution, and make
it obvious what it does, I think that's fine. If the site asked people to
run "tor-request-tshirt" or more generically "tor-verify-ownership" and it
asked for whatever required information, I'd think that'd be more obviously
safe.
Or as Robert suggests, just send verification mail to the listed contact
address of the relay. If they don't list one on their config, find an
alternate verification mechanism like e-mailing whois contacts for the IP or
domain name, or refuse the request.
-- Aaron
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays