[tor-dev] Control-port filtering: can it have a reasonable threat model?
Nick Mathewson
nickm at alum.mit.edu
Tue Apr 4 12:13:18 UTC 2017
On Mon, Apr 3, 2017 at 6:39 PM, dawuud <dawuud at riseup.net> wrote:
>
>
> It's worth noting that controllers able to run SETCONF can ask the tor
> process to execute arbitrary programs:
>
> man torrc | grep exec
>
> So if you want a controller to have any less privileges than the tor
> daemon does, you need a control port filter for SETCONF at the very
> least.
Yes, that is necessary. I question, however, whether it is sufficient.
> Without a control port filter, what is the threat model of the
> ControlSocketsGroupWritable and CookieAuthFileGroupReadable options?
The same as with the rest of the control port: all authorized
controllers have full control over the Tor process.
(Not saying it's a _good_ threat model, but there it is.)
--
Nick
More information about the tor-dev
mailing list