On Sun, May 03, 2015 at 12:05:49PM -0700, Aaron Hopkins wrote: > On Sun, 3 May 2015, Matthew Finkel wrote: > > >Assuming the path to their data dir is /var/lib/tor, we ask them to run: > > Please don't get in the habit of asking relay operators through e-mail to > run complex bash command lines as root. As a security practice, this is > terrible. (How do you know the suggested command wasn't altered before it > reached its recipient?)
Yes, this is terrible, and I really hate the idea of asking it. I signed all my emails for the t-shirt requests, but now we're relying on everyone fetching my key and verifying the mail - so, that's also a bad assumption. I don't have a good solution. This is why I'm asking. > > If you want to build a utility for this into the tor distribution, and make > it obvious what it does, I think that's fine. If the site asked people to > run "tor-request-tshirt" or more generically "tor-verify-ownership" and it > asked for whatever required information, I'd think that'd be more obviously > safe. Unfortunately, for something like that to work seamlessly, it would need to be setuid or setgid. This may be a better way forward, but I wonder what we can do now. > > Or as Robert suggests, just send verification mail to the listed contact > address of the relay. If they don't list one on their config, find an > alternate verification mechanism like e-mailing whois contacts for the IP or > domain name, or refuse the request. I'd prefer not denying them a t-shirt because they don't want to publish an email address publically, but using whois seems like a stretch and usually ends at the hosting provider instead of the operator. Thanks for the idea. - Matt _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
