On Mon, Apr 3, 2017 at 6:39 PM, dawuud <daw...@riseup.net> wrote: > > > It's worth noting that controllers able to run SETCONF can ask the tor > process to execute arbitrary programs: > > man torrc | grep exec > > So if you want a controller to have any less privileges than the tor > daemon does, you need a control port filter for SETCONF at the very > least.
Yes, that is necessary. I question, however, whether it is sufficient. > Without a control port filter, what is the threat model of the > ControlSocketsGroupWritable and CookieAuthFileGroupReadable options? The same as with the rest of the control port: all authorized controllers have full control over the Tor process. (Not saying it's a _good_ threat model, but there it is.) -- Nick _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev