[tor-dev] Control-port filtering: can it have a reasonable threat model?

Nick Mathewson nickm at alum.mit.edu
Tue Apr 4 12:13:18 UTC 2017

On Mon, Apr 3, 2017 at 6:39 PM, dawuud <dawuud at riseup.net> wrote:
> It's worth noting that controllers able to run SETCONF can ask the tor
> process to execute arbitrary programs:
>     man torrc | grep exec
> So if you want a controller to have any less privileges than the tor
> daemon does, you need a control port filter for SETCONF at the very
> least.

Yes, that is necessary.  I question, however, whether it is sufficient.

> Without a control port filter, what is the threat model of the
> ControlSocketsGroupWritable and CookieAuthFileGroupReadable options?

The same as with the rest of the control port: all authorized
controllers have full control over the Tor process.

(Not saying it's a _good_ threat model, but there it is.)


More information about the tor-dev mailing list