[tor-bugs] #6396 [Tor Bridge]: Reachability tests for obfuscated bridges
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sat Sep 15 07:11:53 UTC 2012
#6396: Reachability tests for obfuscated bridges
------------------------+---------------------------------------------------
Reporter: asn | Owner:
Type: task | Status: new
Priority: normal | Milestone: Tor: unspecified
Component: Tor Bridge | Version:
Keywords: pt | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by rransom):
Replying to [comment:5 isis]:
> Replying to [comment:4 rransom]:
> > Does ‘OONI’ (I'm not sure what exactly that refers to) have a stated
policy specifying which inputs to ooniprobe.py are allowed to be attacker-
controlled, and which inputs must be received from a trusted source?
>
> OONI refers to ooniprobe, and all the other included code. We do not yet
have such a policy, though we should. It is my understanding that
ooniprobe.py should be able to be run by an unprivileged user, and
including something which allows arbitrary code execution obviously allow
a separate local privilege escalation exploit to be run, and then you know
the rest.
Why would ooniprobe.py need to run all tests as root?
> I could do a check that the SHA1 of the PT binary file is correct for
that architecture, but that seems extremely bulky and kludgy, and it
wouldn't scale well as new PTs are developed. I'm leaning towards just
commenting the PT test option out, with an explanation, so that people who
want to use it can just go in and uncomment it.
A hash of the main executable of a pluggable transport is not sufficient
-- it might load and run scripts (as Vidalia 0.3.x and Firefox do).
> Do you have any ideas or suggestions?
Don't make BridgeT setuid root.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/6396#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list