Opened 6 years ago

Closed 3 years ago

Last modified 3 years ago

#11376 closed enhancement (duplicate)

Provide Privileged and Unprivileged control ports

Reported by: sysrqb Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version:
Severity: Normal Keywords: needs-proposal
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by sysrqb)

(This may be a duplicate because I know this has been discussed before, but I couldn't find the original if it exists)

The control port has the potential ability to pass sensitive information (#3521, #5976, #1949). There may be situations where one controller only needs the ability to query and receive a limited amount of information and another controller handles the sensitive information. These two processes should be able to connect/authenticate to different sockets and and thus prevent the first process from receiving sensitive information.

Alternatively, this same isolation can be achieved using the chosen authentication mechanism.

Whichever is better (or if both, or another, are chosen), the capabilities of the connection should also be configurable via torrc and control port. For example, whether a connection is allowed to SETCONF or only GETCONF and SETEVENTS, etc. A high level of granularity would be ideal.

Child Tickets

Change History (6)

comment:1 Changed 6 years ago by sysrqb

Description: modified (diff)
Keywords: needs-proposal added

comment:2 Changed 6 years ago by nickm

This is a good idea, but it's going to take serious design work and hard thought about a threat model. Is there any nontrivial functionality from the control port that is completely safe to expose to a totally hostile program? If the answer is "yes", or if we can identify a well-considered variation on "completely" and "hostile" that makes the answer "yes", this might be worth doing.

comment:3 Changed 3 years ago by arma

Severity: Normal

I suggest closing as duplicate of #8369.

(I also don't see a way to accomplish this goal in a workable manner. But keeping one ticket open about it, to attract the people who want it to happen, sounds fine to me.)

comment:4 Changed 3 years ago by nickm

Resolution: duplicate
Status: newclosed

comment:5 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:6 Changed 3 years ago by nickm

Milestone: Tor: 0.3.???

Milestone deleted

Note: See TracTickets for help on using tickets.