[tor-dev] Control-port filtering: can it have a reasonable threat model?

dawuud dawuud at riseup.net
Sat Apr 8 13:45:21 UTC 2017

> Yes, that is necessary.  I question, however, whether it is sufficient.

Sufficient for what purpose?

It *is* sufficient for the purpose of preventing Subgraph sandboxed
applications from escaping it's sandbox via the Tor control
port. Actually, one of the Subgraph guys figured this out and that's
why they wanted a Tor control port filter.

I can see how our intentions for this tool (roflcoptor) could have
been misleading since we never explicitly/publicly stated the above as
the motivation for tor control port filtration.

I think now that the other "Tor integrated Linux distributions" have more
or less caught up with Subgraph, I feel comfortable telling people how
easy it is to get tor to run arbitrary programs via the control port.

Looks like as per usual Yawning Angel did the exact correct thing and
made the Tor hardened browser bundle filter the control port to
disallow SETCONF.  Further, he mentioned to me on irc that the tor
proc is also sandboxed..  so yeah that sounds thorough and proper.

cheers from Montreal!

David Stainton

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170408/5676a16e/attachment.sig>

More information about the tor-dev mailing list