[tor-relays] T-shirts and Confirming Relay Control

Matthew Finkel matthew.finkel at gmail.com
Sun May 3 20:20:57 UTC 2015

On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote:
> On Sun, 3 May 2015, Matthew Finkel wrote:
> >Assuming the path to their data dir is /var/lib/tor, we ask them to run:
> Please don't get in the habit of asking relay operators through e-mail to
> run complex bash command lines as root.  As a security practice, this is
> terrible.  (How do you know the suggested command wasn't altered before it
> reached its recipient?)

Yes, this is terrible, and I really hate the idea of asking it. I signed
all my emails for the t-shirt requests, but now we're relying on
everyone fetching my key and verifying the mail - so, that's also a bad
assumption. I don't have a good solution. This is why I'm asking.

> If you want to build a utility for this into the tor distribution, and make
> it obvious what it does, I think that's fine.  If the site asked people to
> run "tor-request-tshirt" or more generically "tor-verify-ownership" and it
> asked for whatever required information, I'd think that'd be more obviously
> safe.

Unfortunately, for something like that to work seamlessly, it would
need to be setuid or setgid. This may be a better way forward, but I
wonder what we can do now.

> Or as Robert suggests, just send verification mail to the listed contact
> address of the relay.  If they don't list one on their config, find an
> alternate verification mechanism like e-mailing whois contacts for the IP or
> domain name, or refuse the request.

I'd prefer not denying them a t-shirt because they don't want to publish
an email address publically, but using whois seems like a stretch and
usually ends at the hosting provider instead of the operator.

Thanks for the idea.

- Matt

More information about the tor-relays mailing list