[tor-bugs] #3313 [Tor Client]: Security enhancement against malware for Tor

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sun Dec 18 18:57:50 UTC 2011 

#3313: Security enhancement against malware for Tor
----------------------------+-----------------------------------------------
    Reporter:  ioerror      |       Owner:  ioerror         
        Type:  enhancement  |      Status:  reopened        
    Priority:  blocker      |   Milestone:  Tor: unspecified
   Component:  Tor Client   |     Version:                  
  Resolution:               |    Keywords:                  
      Parent:               |      Points:                  
Actualpoints:               |  
----------------------------+-----------------------------------------------
Changes (by atagar):

  * priority:  normal => blocker


Comment:

 My two cents on this, btw, is that this is a major bug with this feature
 and DisableDebuggerAttachment should be disabled by default until it's
 fixed (probably by asking Ubuntu how their ptrace protections work). The
 arguments for breaking lsof and others on purpose has been...

 "< ioerror> atagar: my thought is that you should not be able to get that
 info unless tor gives it to you or you are root (which can sniff the
 network anyway)"

 Which I disagree with for a couple reasons...

 - Realistically we will not be investing the time to re-implement
 connection utilities. I made a proposal for getting this information from
 the control socket years back. It's collecting dust because I'm the only
 tor dev that cares about it, and C coding isn't the sort of thing I do for
 fun after a day of work. ;)

 In essence by saying "unless tor gives it to you" you're saying that
 controllers should never have this information which I strongly disagree
 with. If people have an issue with how I'm scrubbing the data then please
 file a ticket against arm. Otherwise, relay operators have a right to have
 some idea of the activity going on with their own systems.

 Also, this change does *not* prevent controllers from getting tor
 connection information, it only prevents controllers from differentiating
 tor connections from others that aren't associated with applications. In
 other words this change screws with arm, but not malware in this respect.

 - That leaves the "or you are root" and we do not want to start
 encouraging controllers to need root permissions. We already do this for
 writing to the Debian torrc which has been a pita (breaking SETCONF and
 leading to weeks of effort by Jake to make a setuid workaround). Most
 platform already restrict the connection information when your lack the
 permissions of the tor process, and this seems good enough for me.

 I'm flagging this as a blocker since I really don't want to see this make
 it out of alpha without being addressed.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3313#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list