ApplicationControlSocket: the way for apps to control Tor
** Problem:
When third party apps need to control Tor (most likely to create onions), they always face the choice of how to do this right. There are several options: 1. to start as root, connect to Tor, and setuid 2. to use the control port 9051, this will sometimes require password or cookie to authenticate 3. to run under group _tor and use control socket, reading auth-cookie or supplying password.
These choices come up for all apps that need to control Tor, but which are otherwise unrelated to Tor. Lack of clear recipe as of what should they choose to do and the complexity involved in this decision give rise to random behaviors, unsafe practices, etc.
** Proposed solution:
New torrc instruction ApplicationControlSocket:
ApplicationControlSocket group_name /path/to/app/socket (cookie:/path/to/app/cookie_auth_file|hash:16:XXXXX...)
Arguments:
- group_name: UNIX group name this instruction applies to
- /path/to/app/socket: path where Tor will create the UNIX socket
- (cookie:/path/to/app/cookie_auth_file|hash:16:XXXXX...): either the path to auth-cookie file, or hashed password.
Every application that needs to control Tor runs as its own group. This group has this instruction in torrc that enables it to control Tor.
Tor will create a special control socket just for this group. Optionally, Tor will create the auth-cookie file. Tor will check credentials of incoming connections, and will reject any connection not coming from the process with this specific group, or when the user is not a member of this group. Tor will make permissions on socket and auth-cookie files like this: ----rw---- _tor:{group_name}.
** Pros/Cons:
Pros:
- Easy to use and understand
- Apps will have no need to make choices and reinvent the wheel
- This will be a standard, suggested way
- Reduces the chance to have unsafe setups
- Eliminates the need to have the potentially unsafe control port 9051
Cons:
- Some effort to implement
** Limitations:
Only applicable to OSes where UNIX sockets are available: Linux, BSD, MacOS, SunOS. Probably not on Windows.
** Examples of apps:
- ZeroNet (can run with its own group zeronet)
- Tox (can require user to be a member of tox group allowed to control Tor)
- RetroShare (can require user to be a member of group retroshare)
Alternatively, UI apps can share the group, ex. require the user to be a member of 'tor-controllers', and share one ApplicationControlSocket instruction.