On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote:
On Sun, 3 May 2015, Matthew Finkel wrote:
Assuming the path to their data dir is /var/lib/tor, we ask them to run:
Please don't get in the habit of asking relay operators through e-mail to run complex bash command lines as root. As a security practice, this is terrible. (How do you know the suggested command wasn't altered before it reached its recipient?)
Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking.
If you want to build a utility for this into the tor distribution, and make it obvious what it does, I think that's fine. If the site asked people to run "tor-request-tshirt" or more generically "tor-verify-ownership" and it asked for whatever required information, I'd think that'd be more obviously safe.
Unfortunately, for something like that to work seamlessly, it would need to be setuid or setgid. This may be a better way forward, but I wonder what we can do now.
Or as Robert suggests, just send verification mail to the listed contact address of the relay. If they don't list one on their config, find an alternate verification mechanism like e-mailing whois contacts for the IP or domain name, or refuse the request.
I'd prefer not denying them a t-shirt because they don't want to publish an email address publically, but using whois seems like a stretch and usually ends at the hosting provider instead of the operator.
Thanks for the idea.
- Matt