[tor-bugs] #15649 [general]: [feature suggestion] Tor control protocol should listen on privileged UNIX domain socket and allow an unauthenticated administration there

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 10 23:45:12 UTC 2015 

#15649: [feature suggestion] Tor control protocol should listen on privileged UNIX
domain socket and allow an unauthenticated administration there
-----------------------------+-----------------
     Reporter:  yurivict271  |      Owner:
         Type:  enhancement  |     Status:  new
     Priority:  normal       |  Milestone:
    Component:  general      |    Version:
   Resolution:               |   Keywords:
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+-----------------

Comment (by yawning):

 I'm still firmly against having a control port instance running by
 default.  That should be something that the packager/system
 administrator/user decides, and explicitly enables because the control
 port can do really nasty things to the running tor instance.

 But I doubt I'll change your mind in this regard.

 Replying to [comment:7 yurivict271]:
 > So in short it should work this way:
 > * Same ControlPort protocol should be supported on the UNIX-domain
 socket (suggested name /tmp/tor/ctrl.<pid>)
 > * This socket is always on, unlike 127.0.0.1:9100 which is optional
 > * This socket reads user credentials of the connected users, and waives
 authentication for root. Otherwise authentication works the same.

 Why does root get a pass at authentication?

 Yes, root can get the credentials anyway fairly trivially, but that along
 isn't sufficient reason to allow this.  If I'm running tor as the "tor"
 system user, or as myself, what business does "root" have at being able to
 trivially mess with my tor instance?

 This seems like an utterly terrible idea, because it's encouraging people
 to run things as root that have no business being ran as root in the first
 place.  If something like this ever landed in tor and was enabled by
 default, the first thing I would do on all of my boxes is to patch my tor
 to remove it.

 > This modification would be great for tor integration with other systems,
 particularly services.

 Because what I totally want on my box is running random services that need
 to be launched as "root" just so it can talk to my tor instance.

 Anyway, I'm done commenting on this ticket.  I think my opinions on this
 are fairly clear, though it's basically up to nickm.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/15649#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list