[tor-bugs] #10702 [arm]: arm tells users to "sudo -s debian-tor arm", which lets arm read tor's keys

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jan 22 22:39:50 UTC 2014


#10702: arm tells users to "sudo -s debian-tor arm", which lets arm read tor's keys
--------------------+------------------------
 Reporter:  arma    |          Owner:  atagar
     Type:  defect  |         Status:  new
 Priority:  normal  |      Milestone:
Component:  arm     |        Version:
 Keywords:          |  Actual Points:
Parent ID:          |         Points:
--------------------+------------------------
 in config/strings.cfg:
 {{{
 msg.setup.arm_is_running_as_root Arm is currently running with root
 permissions. This isn't a good idea, nor should it be necessary. Try
 starting arm with "sudo -u {tor_user} arm" instead.
 }}}

 Telling the user to run arm as the tor user exposes all of /var/lib/tor/
 to arm, which is probably more than needed and likely more than expected.

 At least on debian, the right answer is "sudo adduser $USER debian-tor"
 and then run arm as the normal user (after logout/login as needed). See
 #10700 for where this topic came up.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10702>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list