[tor-bugs] #5584 [Tor]: Raise awareness of safer logging
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jun 11 11:12:09 UTC 2013
#5584: Raise awareness of safer logging
------------------------------------------------------+---------------------
Reporter: bastik | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Tor: unspecified
Component: Tor | Version: Tor: unspecified
Keywords: easy hack awareness of logging tor-relay | Parent:
Points: | Actualpoints:
------------------------------------------------------+---------------------
Comment(by marek):
I gave this bug a go, and added this lines to `main.c:tor_init()`:
{{{
+ if (get_options()->SafeLogging_ != SAFELOG_SCRUB_ALL) {
+ log_warn(LD_GENERAL, "Your log may contain sensitive information -
you "
+ "disabled SafeLogging. Please log safely. Don't log unless it
"
+ "serves an important reason. Overwrite the log afterwards.");
+ } else {
+ log_info(LD_GENERAL, "Your log may contain sensitive information -
you're "
+ "logging above \"notice\". Please log safely. Don't log
unless it "
+ "serves an important reason. Overwrite the log afterwards.");
+ }
}}}
But there's a problem: this code must be run after
`options_init_from_torrc`, we need `get_options()->SafeLogging_` to be
initialized. It's okay for the first warning if logging level is <=
notice.
The second warning also requires config to be initialized - we want to
write this message to an initialized log _file_, not only to the temporary
stderr. But, if one actually sets logging level to debug, this message
will disappear between many many other debug messages written during
`options_init_from_torrc()`.
In other words - we must write this messages after `options_init_*` as we
want to write them to real log files, but if we do it after this call they
will be too deep in the log file for anyone read it.
The alternative solution would be to put the latter message in
`log.c:log_tor_version`:
https://github.com/torproject/tor/blob/master/src/common/log.c#L215 But
that's ugly, and `log_tor_version` is not always run - for example not in
the case of writing to syslog. Ideal solution would be to have a dedicated
callback in `main.c` or `config.c` that will be run from logging every
time a new log is initialized and before the log gets spammed. This call
could replace `log_tor_version`. That looks like a more significant change
though.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/5584#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list