Commit d0ff87a7 authored by Tails developers's avatar Tails developers
Browse files

Merge remote-tracking branch 'winterfairy/bugfix/torbutton-new-identity' into devel

parents 51bc0882 f5587ba1
#!/bin/sh
set -e
# Create the tor-controlport-filter user.
#
# We run tor-controlport-filter under this user,
# which belongs to the debian-tor group.
echo "creating the tor-controlport-filter user"
adduser --system --quiet --group --no-create-home tor-controlport-filter
adduser tor-controlport-filter debian-tor
......@@ -9,6 +9,7 @@ tails-reconfigure-kexec
tails-reconfigure-memlockd
tails-sdmem-on-media-removal
tails-set-wireless-devices-state
tor-controlport-filter
"
PATCHED_INITSCRIPTS="
......
......@@ -9,6 +9,13 @@ SOCKS5_SERVER=127.0.0.1:9050
TOR_SOCKS_HOST='127.0.0.1'
TOR_SOCKS_PORT='9151'
# Allow Torbutton access to the control port filter (for new identity).
# Setting a password is required, otherwise Torbutton attempts to
# read the authentication cookie file instead, which fails.
TOR_CONTROL_HOST='127.0.0.1'
TOR_CONTROL_PORT='9052'
TOR_CONTROL_PASSWD='passwd'
GIT_PROXY_COMMAND=/usr/local/bin/connect-socks
# Port that the monkeysphere validation agent listens on
......
......@@ -41,12 +41,16 @@ domain ip {
# White-list access to Tor's ControlPort
daddr 127.0.0.1 proto tcp dport 9051 {
mod owner uid-owner amnesia ACCEPT;
# Needed by a workaround in tordate (NM's 20-time.sh hook)
# for temporarily changing Tor's logging severity.
mod owner uid-owner root ACCEPT;
}
# White-list access to the Tor control port filter
daddr 127.0.0.1 proto tcp dport 9052 {
mod owner uid-owner amnesia ACCEPT;
}
# White-list access to Tor's TransPort
daddr 127.0.0.1 proto tcp dport 9040 {
mod owner uid-owner amnesia ACCEPT;
......
#! /bin/sh
### BEGIN INIT INFO
# Provides: tor-controlport-filter
# Required-Start: $remote_fs
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: Tor control port filter proxy
# Description: Tor control port filter proxy
### END INIT INFO
case "$1" in
start)
start-stop-daemon \
--start \
--quiet \
--background \
--chuid tor-controlport-filter:tor-controlport-filter \
--exec /usr/local/sbin/tor-controlport-filter
;;
*)
echo "Usage: $0 start" >&2
exit 3
;;
esac
exit 0
#!/usr/bin/python
# Tor control port filter proxy, only white-listing SIGNAL NEWNYM.
# This filter proxy should allow Torbutton to request a
# new Tor circuit, without exposing dangerous control requests
# like "GETINFO address" to applications running as a local user.
# If something goes wrong, an error code is returned, and
# Torbutton will display a warning dialog that New Identity failed.
# Only one application can talk through this filter proxy
# simultaneously. A malicious application that is running as a
# local user could use this to prevent other applications from
# doing NEWNYM. But it could just as well rewrite the
# TOR_CONTROL_PORT environment variable to itself or do something else.
import socket
import binascii
# Limit the length of a line, to prevent DoS attacks trying to
# crash this filter proxy by sending infinitely long lines.
MAX_LINESIZE = 128
class UnexpectedAnswer(Exception):
def __init__(self, msg):
self.msg = msg
def __str__(self):
return "[UnexpectedAnswer] " + self.msg
def do_newnym_real():
# Read authentication cookie
with open("/var/run/tor/control.authcookie", "rb") as f:
rawcookie = f.read(32)
hexcookie = binascii.hexlify(rawcookie)
# Connect to the real control port
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.settimeout(10.0)
sock.connect("/var/run/tor/control")
readh = sock.makefile("r")
writeh = sock.makefile("w")
# Authenticate
writeh.write("AUTHENTICATE " + hexcookie + "\n")
writeh.flush()
answer = readh.readline(MAX_LINESIZE)
if not answer.startswith("250"):
raise UnexpectedAnswer("AUTHENTICATE failed")
# Send the newnym signal
writeh.write("SIGNAL NEWNYM\n")
writeh.flush()
answer = readh.readline(MAX_LINESIZE)
if not answer.startswith("250"):
raise UnexpectedAnswer("SIGNAL NEWNYM failed")
# Close the connection
writeh.write("QUIT\n")
writeh.flush()
answer = readh.readline(MAX_LINESIZE)
if not answer.startswith("250"):
raise UnexpectedAnswer("QUIT failed")
sock.close()
def do_newnym():
# Catch innocent exceptions, will report error instead
try:
do_newnym_real()
print "Newnym went fine"
return True
except (IOError, UnexpectedAnswer) as e:
print "Warning: Couldn't perform newnym!"
print e
return False
def handle_connection(sock):
# Create file handles for the socket
readh = sock.makefile("r")
writeh = sock.makefile("w")
# Keep accepting commands
while True:
# Read in a newline terminated line
line = readh.readline(MAX_LINESIZE)
if not line: break
# Check what it is
if line.startswith("AUTHENTICATE"):
# Don't check authentication, since only
# safe commands are allowed
writeh.write("250 OK\n")
elif line.startswith("SIGNAL NEWNYM"):
# Perform a real SIGNAL NEWNYM (new Tor circuit)
if do_newnym():
writeh.write("250 OK\n")
else:
writeh.write("510 Newnym signal failed\n")
elif line.startswith("QUIT"):
# Quit session
writeh.write("250 Closing connection\n")
break
else:
# Everything else we ignore/block
writeh.write("510 Command filtered\n")
# Ensure the answer was written
writeh.flush()
# Ensure all data was written
writeh.flush()
def main():
# Listen on port 9052 (we cannot use 9051 as Tor uses that one)
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
server.bind(("127.0.0.1", 9052))
server.listen(4)
print "Tor control port filter started, listening on 9052"
# Accept and handle connections one after one,
# sessions are short enough that the added complexity of
# simultaneous connections are unnecessary (in absence of attacks)
while True:
clisock, cliaddr = server.accept()
try:
print "Accepted a connection"
handle_connection(clisock)
print "Connection closed"
except IOError:
print "Connection closed (IOError)"
clisock.close()
if __name__ == "__main__":
main()
......@@ -848,9 +848,12 @@ an attacker who controls it could simply ask Tor the public
IP through the `GETINFO address` command.
To prevent this, access to the Tor control port is only
granted to the vidalia user, who is running Vidalia.
A filtering proxy to the control port exists, so
Torbutton still can perform safe commands like `SIGNAL NEWNYM`.
- [[!tails_gitweb chroot_local-hooks/06-adduser_vidalia]]
- [[!tails_gitweb chroot_local-includes/usr/local/sbin/restart-vidalia]]
- [[!tails_gitweb chroot_local-includes/usr/local/sbin/tor-controlport-filter]]
- [[!tails_gitweb chroot_local-includes/etc/tor/torrc]]
### 3.6.3 DNS
......
......@@ -243,18 +243,6 @@ Touchpad configurations
synclient FingerLow=1;
synclient FingerHigh=1;
New Identity feature
--------------------
Since Tails 0.21, the "New Identity" feature in the web browser is not
available anymore ([[!tails_ticket 6383]]).
As a workaround it is possible to:
1. Close the web browser.
2. Right-click on the Vidalia icon and choose "New identity".
3. Open the web browser again.
TorBrowser takes too long to shutdown
-------------------------------------
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment