[Pkg-anonymity-tools] Bug#797339: Bug#797339: torbrowser-launcher: assumes a hard-coded (and insecure) SOCKS port
Michael Gold
michael at bitplane.org
Sat Oct 31 15:56:34 UTC 2015
Control: tag -1 + patch
Hi intrigeri, Micah,
On Sun, Aug 30, 2015 at 13:30:49 +0200, intrigeri wrote:
> Michael Gold wrote (29 Aug 2015 16:55:28 GMT) :
> > It is inappropriate to assume Tor is running on this port, as any local
> > user could be running a service there (Debian bug #797335), possibly to
> > interfere with torbrowser-launcher.
>
> Note that torbrowser-launcher Depends: tor, so this is correct if, and
> only if, the system administrator has disabled the tor service, or
> configured it to not listen on the default SOCKS port.
This would also be true if another user had caused Tor to crash or shut
down. Tor is full of assertions (enabled in release builds) that could
cause it to intentionally shut down, leaving its SOCKS port available to
others.
> > torbrowser-launcher should allow the user to select an alternate TCP or
> > Unix-domain SOCKS address, and shouldn't connect to an unprivileged one
> > without confirmation.
>
> Given 1. the design goals of torbrowser-launcher (that is: working
> out-of-the-box for non-technical users, AIUI); 2. the current state of
> things as described above; and 3. the fact that in practice this is
> a problem only if the system administrator tweaked torrc in a way that
> ignores #2, I beg to disagree that this would be a good solution to
> the (real) problem we have here.
Here's a patch to add it to the --settings screen. I'm not sure whether
it's meant to be accessible to non-technical users (the mirror selection
box suggests it's assuming some technical ability). Maybe it could be
moved to a command line option if the GUI is inappropriate.
> Now, *if* the quick fix I'm suggesting above works (checking who
> opened the SOCKs port before connecting to it), then it could be an
> acceptable temporary fix for users who get torbrowser-launcher from
> their distro.
I'm not aware of any good way to do this. getpeereid only works on Unix
sockets (according to the man page; plus, if the socket were in a system
directory it would be unnecessary). IDENT (rfc1413) is the standard way
way to check for a TCP connection, but it's rarely available.
Parsing /proc/self/net/tcp would work on Linux but it's non-portable and
ugly. It would need to be done after connecting to avoid a race.
-- Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: torbrowser-launcher--tor-addr.diff
Type: text/x-diff
Size: 2968 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-anonymity-tools/attachments/20151031/9cc5d074/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-anonymity-tools/attachments/20151031/9cc5d074/attachment.sig>
More information about the Pkg-anonymity-tools
mailing list