[tor-bugs] #23631 [Applications/Tor Browser]: Improve sudo need

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Sep 25 09:40:18 UTC 2017

#23631: Improve sudo need
 Reporter:  tom                       |          Owner:  tbb-team
     Type:  enhancement               |         Status:  new
 Priority:  Low                       |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-rbm                   |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by boklm):

 Doing the build as root is probably not a good idea as everything is run
 as root. At least with a user account set up with passwordless sudo, only
 the commands that need to be run as root are run as root.

 It would be nice if it would be possible to do builds without giving full
 root access to the user, however it seems difficult to do in a way that
 really prevents the user from getting root access:
 - the suid program (or sudo passwordless program) cannot be controlled by
 the user, so it needs to be manually setup by an admin, and manually
 updated each time we need to change it
 - if the runc config.json file is controlled by the user, the user can
 change it in a way that makes it easy to escape the container as root, so
 the runc config.json needs to be setup and updated by an admin too
 - the user is controlling the commands we run as root inside the container
 to install dependencies, so they could for instance do thing such as
 creating a suid file inside the container and execute it outside the
 container to get a root shell. And there are probably many other
 techniques someone with a root shell inside a container could use to get a
 root shell outside the container. We can probably harden the container
 configuration to prevent some of them to work, but I think it would be a
 lot of work to try to fix them all. And maybe not possible if we want to
 give the container the `CAP_SYS_ADMIN` capability, which we need to do in
 some of the containers to be able to use debootstrap to create the base
 images, so maybe this part too would need to be done by the suid wrapper
 installed by the admin.

 Instead of doing our own suid program to start containers, we could use
 docker which can be configured to allow users in the docker group to run
 docker without using sudo. However docker has other problems (no support
 for i386 containers, no easy way to verify the image we downloaded, images
 not removed when we remove the tor-browser-build directory), and it
 doesn't really fix the problem as it has many options that can be used to
 create insecure containers: `--pid=host`, `--cap-add=[]`,
 `--privileged=true`, etc ...

 So I think it would be possible to do something that gives the impression
 that the user does not have full root access, but I'm not sure it is worth
 it if we can't effectively prevent the user from getting root access
 easily. I think requiring passwordless sudo at least makes it clear that
 the user can do anything on the machine.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23631#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list