Opened 4 years ago

Closed 2 years ago

#14272 closed enhancement (fixed)

Make Tor Launcher work with Unix Domain Socket option

Reported by: gk Owned by: brade
Priority: High Milestone:
Component: Applications/Tor Launcher Version:
Severity: Normal Keywords: tbb-security, TorBrowserTeam201608R
Cc: brade, mcs, adrelanos@…, whonix-devel@… Actual Points:
Parent ID: #14270 Points:
Reviewer: Sponsor: SponsorU

Description (last modified by gk)

In order to enhance the security of the Tor Browser we should at least for *NIX systems support the recently landed Unix Domain Socket option.

Child Tickets

Change History (12)

comment:1 Changed 4 years ago by mcs

Cc: brade mcs added

comment:2 Changed 3 years ago by gk

Description: modified (diff)
Summary: Make Tor Launcher work with SocksSocket optionMake Tor Launcher work with Unix Domain Socket option

comment:3 Changed 3 years ago by proper

Cc: adrelanos@… added

We're wondering on how one would still be able to use Tor Browser behind a Transparent/Isolating Proxy, Whonix, without Tor over Tor then.

While you're at this, could you please add support for connecting to an already, previously existing unix domain socket file? Such as an environment variable export TOR_PRE_EXIST_UNIX_SOCKET=/path/to/socket (or so)? (The creation of that socket would be up to the user of such an TOR_PRE_EXIST_UNIX_SOCKET environment variable.)

(We could then use socat to create the socket and to forward it to another IP/port where Tor is listening.)

comment:4 Changed 3 years ago by gk

Owner: changed from gk to brade
Status: newassigned

comment:5 Changed 3 years ago by proper

Cc: whonix-devel@… added

comment:6 Changed 3 years ago by proper

Replying to brade:

Replying to proper:

As far I understand, this is up to Make Tor Launcher work with Unix Domain Socket option (#14272). What is Tor Button's role in this?

Torbutton includes code that interacts with tor via the control port (e.g., newnym, circuit display). If we disable all TCP in Tor Browser, control port communication will need to be via a Unix domain socket as well (so Torbutton will need to be modified).

Then I must write an update to my previous post. :)

We're wondering on how one would still be able to use Tor Browser behind a Transparent/Isolating Proxy, Whonix, without Tor over Tor then.

While you're at this, could you please add support for connecting to an already, previously existing unix domain socket files? Such as an environment variables:

  • export TOR_PRE_EXIST_UNIX_SOCKET_SOCKS=/path/to/socket
  • export TOR_PRE_EXIST_UNIX_SOCKET_CONTROL=/path/to/socket (or so)

(The creation of these unix domain socket files would be up to the user of these environment variables.)

(We could then use socat to create the socket and to forward it to another IP/port where Tor is listening.)

comment:7 Changed 2 years ago by gk

Priority: MediumHigh
Sponsor: SponsorU

comment:8 Changed 2 years ago by gk

Keywords: TorBrowserTeam201608 added

Getting important SponsorU things on our August radar.

comment:9 Changed 2 years ago by mcs

Keywords: TorBrowserTeam201608R added; TorBrowserTeam201608 removed
Severity: Normal
Status: assignedneeds_review

Switching to a Unix domain socket for the control port turns out to mostly be a matter of configuration plus creation of a different kind of socket transport. Here is a patch for review:
https://gitweb.torproject.org/user/brade/tor-launcher.git/commit/?h=bug14272-01&id=fe86a337bac123466433a5d7dff19333b5907daf

comment:10 Changed 2 years ago by gk

Two things (no need to create a new branch if 2. is moot):

  1. In the commit description s/is is use/is in use/
  1. Why do we have a new param for getTorFile()? Do we expect more calls with aMustExist === false? If not, why not just omit that param (and do something like "control_socket" == aTorFileType again) or at least rename it to something more descriptive than aMustExist (like aControlSocket)?

I was confused about the !aMustExist check as the connection between that and doing f.normalize(); seems not obvious at first glance.

comment:11 in reply to:  10 Changed 2 years ago by mcs

Replying to gk:

Two things (no need to create a new branch if 2. is moot):

  1. In the commit description s/is is use/is in use/

Oops. Thanks!

  1. Why do we have a new param for getTorFile()? Do we expect more calls with aMustExist === false? If not, why not just omit that param (and do something like "control_socket" == aTorFileType again) or at least rename it to something more descriptive than aMustExist (like aControlSocket)?

Kathy and I like your suggestion. Here is a revised patch:
https://gitweb.torproject.org/user/brade/tor-launcher.git/commit/?h=bug14272-02&id=8871259c966755233b134a5ddb2b4926539d25c6

comment:12 Changed 2 years ago by gk

Resolution: fixed
Status: needs_reviewclosed

Thanks, this is commit 8871259c966755233b134a5ddb2b4926539d25c6 on master. I'll get that onto the proper maint branch for the alphas later. I added a typo-fix-commit as well (commit 32ddac7015be571c336be686b4f901103d0d36f6) to save us one round-trip.

Note: See TracTickets for help on using tickets.