On Sun, 3 May 2015, Matthew Finkel wrote:
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?)
If you want to build a utility for this into the tor distribution, and make it obvious what it does, I think that's fine. If the site asked people to run "tor-request-tshirt" or more generically "tor-verify-ownership" and it asked for whatever required information, I'd think that'd be more obviously safe.
Or as Robert suggests, just send verification mail to the listed contact address of the relay. If they don't list one on their config, find an alternate verification mechanism like e-mailing whois contacts for the IP or domain name, or refuse the request.
-- Aaron