[tor-bugs] #3629 [arm]: Arm/Tor Deb Torrc Configuration

Tor Bug Tracker & Wiki torproject-admin at torproject.org
Sat Jul 23 01:12:54 UTC 2011 

#3629: Arm/Tor Deb Torrc Configuration
-------------------------+--------------------------------------------------
 Reporter:  atagar       |          Owner:  ioerror
     Type:  enhancement  |         Status:  new    
 Priority:  normal       |      Milestone:         
Component:  arm          |        Version:         
 Keywords:               |         Parent:         
   Points:               |   Actualpoints:         
-------------------------+--------------------------------------------------

Comment(by ioerror):

 That permission issue was Sebastian's point. I agree entirely. I'm
 surprised that install lets you install something unsafely without forcing
 it...

 I'd also add that there two main things to review here.

 The first is the Python program - is it safe to call with sudo or as root?
 If so, great; if not, I'd like to fix that. Does it properly exit if
 you're not in the right t group, regardless of if you're root or not? I
 believe so.

 The second is the C program that invokes the Python program. I believe it
 is a very simple setuid wrapper that has a very small attack surface. The
 OS that grants the setuid bit also ensures that it is only possible to
 execute the program if your user is in the right group. I believe this is
 actually safer than sudo but obviously at the cost of being less flexible.
 sudo does not have checking for group membership like this - it only
 checks an internal filter; the OS is consulted but not until after
 execve().

 Here's sudo from an Ubuntu system:
 {{{
 -rwsr-xr-x 2 root root 165K 2011-05-30 02:06 /usr/bin/sudo
 }}}

 Anyone can call that on the system and it's up to sudo to ensure that it's
 safe. As we know from the history of sudo, it's hasn't always done the job
 properly. It's a tough job, obviously.

 The python program contains similar internal checks but they're hard coded
 at install time to match the group that can call the program at all. This
 should prevent the python program from running if you're not supposed to
 run it and should be rather graceful in general.

 Thoughts?

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/3629#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list