[tbb-bugs] #24755 [Applications/Tor Browser]: Shell scripts refactoring and bash privacy leak. Heredoc should not be used in start-tor-browser script.
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Dec 28 14:46:22 UTC 2017
#24755: Shell scripts refactoring and bash privacy leak. Heredoc should not be used
in start-tor-browser script.
------------------------------------------+----------------------
Reporter: asan | Owner: tbb-team
Type: defect | Status: new
Priority: Low | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Minor | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------------------+----------------------
In most of shells (including bash) heredoc, i.e. `<<` and `<<<`, is
implemented through creation of temporary files in TMP. In the case of
bash these are the files like `/tmp/sh-thd-1234567890`. This can be
checked using the command [[https://unix.stackexchange.com/questions/21602
/shell-programming-avoiding-tempfiles|[1]]]
{{{
sleep 3 <<<"here string" & lsof -p $! | grep 0r
}}}
Furthermore, these TMP files may remain if, e.g., shell script crashes.
There were some complaints that these files are still accessible through
file descriptors even after removal [[http://gnu-bash.2382.n7.nabble.com
/bash-leaks-sh-np-NNN-files-and-pipes-in-tmp-when-command-substitution-is-
used-td12719.html|[2]]],
[[https://groups.google.com/forum/#!topic/gnu.bash.bug/qMjhPmg4OBw|[3]]].
Since TBB and similar applications are intended to be portable, they
should not leave traces outside of their portable directory. However, bash
commands in scripts like `start-tor-browser` may run when separate TMP for
TBB is not yet set, i.e. system TMP (/tmp), which is not always mounted in
memory, may be used. It means that traces (that TBB was used) will be
created outside of TBB directory. This is a minor leak in comparison to en
elephant [[https://trac.torproject.org/projects/tor/ticket/7449|7449]]
(yet unfixed), but it is still a leak.
In general, if TMP for TBB is created before the use of heredoc command in
script, it should be fine. However, as heredoc is potentially leaky and
dangerous thing, it should be avoided in secure scripts. One could use
simple `echo` command instead.
Now `start-tor-browser` has at least one `cat <<EOF`. AFAIK, tor-messenger
also has this problem. By the way, in this case writing `cat <<"EOF"`
(i.e. with quotation) is the safer alternative, as variables substitution
will not be done, and substituted text will be verbatim. Moreover, new
safer notation {{{$(command)}}} should be used instead of old-style
{{{`command`}}} in `start-tor-browser`.
There are also other things in this script, which are often considered to
be a bad practice. In particular,
1. Multiple characters variables should be always in braces
(`${show_output}` instead of `$show_output`).
1. Quotation `""` should be used everywhere and in all assignments.
1. `[[` and `]]`, as much safer alternative, should be used instead of
`[` and `]`.
I would refer to Google shell style guide
[[https://google.github.io/styleguide/shell.xml|[4]]] as a good starting
point to learn how to write secure shell scripts.
All these notes should be applied to all shell scripts within Tor Project.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24755>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list