A copy of the torrc.sample file has been put in the case directory. -Wyllys
Wyllys Ingersoll wrote: > Template Version: @(#)sac_nextcase 1.68 02/23/09 SMI > This information is Copyright 2009 Sun Microsystems > 1. Introduction > 1.1. Project/Component Working Name: > Tor > 1.2. Name of Document Author/Supplier: > Author: Wyllys Ingersoll > 1.3 Date of This Document: > 12 March, 2009 > 4. Technical Description > > Description > ----------- > This case proposes to deliver packages containing the Tor project > sofware. Tor (https://www.torproject.org) is software lets > one to participate in a network of virtual tunnels that allow people > and groups to improve their privacy and security on the internet. > Tor provides the foundation for a range of applications that allow > organizations and individuals to share information over public > networks without compromising their privacy. > > See this page for more details: https://www.torproject.org/overview.html.en > > Notes: > * Currently we are planning to deliver version 0.2.0.34 > * Tor uses only TCP streams and can be used by any application with SOCKS > support. > * Tor does NOT support IPv6 yet > (https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#IPv6) > * Tor uses OpenSSL for key generation and for encrypting the data > between relays. As it works fine with the OpenSSL currently in Solaris, > there are > no plans to change it to use PKCS11 or KMF. > > Least Privilege/RBAC > -------------------- > This project will deliver new authorizations to /etc/security/auth_attr > for managing the SMF services for starting and stopping the relay server: > solaris.smf.value.tor:::Change tor value properties:: > solaris.smf.manage.tor:::Manage tor service states:: > > The following rights profile will be added to /etc/security/prof_attr: > Tor Administration::::auths=solaris.smf.manage.tor,solaris.smf.value.tor > > The following will be added to /etc/security/exec_attr: > Tor > Administration:solaris:cmd:::/usr/bin/tor:uid=daemon,gid=daemon,privs=basic > Tor > Administration:solaris:cmd:::/usr/bin/tor-gencert:uid=daemon,gid=daemon,privs=basic > Tor > Administration:solaris:cmd:::/usr/bin/tor-resolve:uid=daemon,gid=daemon,privs=basic > > tor will run as uid/gid "daemon/daemon". It does not require special > privileges, > it does not listen on privileged ports or access privileged data or > directories > on the system. > > SMF > --- > This project will deliver an SMF manifest and script that will allow > the tor relay daemon to be restarted via SMF. The SMF service will be: > svc:/application/security/tor:default (Tor Relay Daemon) > > Zones > ----- > Tor can (and probably should) be run in a local zone with no restrictions > other than the fact that it needs a working network interface. There > is no technical reason why it would NOT work in a TX zone, though > that configuration has not been tested. > > Auditing > -------- > Tor does not make access control decisions and is not an administrative > tool that requires BSM auditing. > > Configuration > ------------- > Tor is an open source project and has an existing configuration system > that relies on a text based configuration file. An example config file > will be delivered in /etc/security/torrc.sample. We do not plan to put > any of the Tor configuration settings into SMF because we do not want to > deviate from the upstream provider if at all possible. > > The configuration file contains a long list of options for configuring > the ports and interfaces that the relay will listen to as well as other > details such as logging levels, configuring "hidden" services (see > https://www.torproject.org/hidden-services.html.en for a detailed description > of the hidden service protocol), and limiting the bandwidth that the relay > will use. > > The sample configuration file must be manually edited by the administrator > and copied to the /etc/security/torrc in order to be used. This forces > the administrator to know and acknowlege the features that are being enabled > rather than just blindly turning it on. > > The upstream Tor community is fairly active and releases updates several times > each year. Making Solaris-specific changes (such as putting config options > in an > SMF profile) will make it harder to keep up with the community and resync > with the current releases. > > Packing Modifications > --------------------- > SUNWtor Tor software for userland > SUNWtor-root Tor software for Root filesystem > > Deliverables > ------------ > /usr/bin/tor SFW Uncommitted > /usr/bin/tor-resolve SFW Uncommitted > /usr/bin/tor-gencert SFW Uncommitted > > /etc/security/torrc.sample SFW Uncommitted > /usr/share/tor/geoip SFW Uncommitted > > /usr/man/man1/tor.1 SFW Uncommitted > /usr/man/man1/tor-resolve.1 SFW Uncommitted > /usr/man/man1/tor-gencert.1 SFW Uncommitted > > Details > ------- > tor is the main daemon process that is started by the "tor" SMF profile. > > tor-resolve is a script to connect to a SOCKS proxy that knows about the > SOCKS RESOLVE > command, hand it a hostname, and return an IP address. > > tor-gencert generates certificates and private keys for use > by Tor directory authorities running the v3 Tor directory > protocol, as used by Tor 0.2.0 and later. If you are not > running a directory authority, you don't need to use tor- > gencert. tor-gencert generates 3 files that the user must then copy > to the "keys" subdirectory (/var/lib/tor/keys) - > "authority_identity_key", > "authority_signing_key" and "authority_certificate". > > geoip is an ASCII based database of IP-to-Country name mappings. It is not > intended > to be edited by users. > > > OpenSource > ---------- > OSR Review: 9954 (approved - Tor version 0.2.0.30) > 11364 (pending expedited review - Tor version 0.2.0.34) > > Tor Project: https://www.torproject.org > Tor Wiki: https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ > > > Release Taxonomy: Micro/Patch > > 6. Resources and Schedule > 6.4. Steering Committee requested information > 6.4.1. Consolidation C-team Name: > SFW > 6.5. ARC review type: FastTrack > 6.6. ARC Exposure: open
