Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#3396 closed enhancement (wontfix)

custom resolver

Reported by: toruser32 Owned by: atagar
Priority: Medium Milestone:
Component: Core Tor/Nyx Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I am running arm on GNU/Linux in the context of a user that is neither root nor the user of the tor instance that is monitored. Obviously all available connection resolver fail.

I think it is feasible to get the arm user to be able to write an own connection resolver. This could be achieved by adding a new option in armrc that links to a user provided file that implements the listener.
I would solve my problem then by writing one that executes sudo -u my-tor-user netstat -np etc. - with the sudo being a NONPASSWD-command via /etc/sudoers.

Child Tickets

Change History (4)

comment:1 Changed 8 years ago by atagar

I'm not following - you're thinking that you'd pipe the netstat output to a file as a cron task then have arm read it? That is to say, every so often running...
sudo -u <tor user> netstat -np | grep "ESTABLISHED <pid>/<process>" > /path/to/file

then having arm read this as the connection results? This sounds like quite a hack to me but if you'd like to implement it then that's fine with me - let me know if you need any help. :)

-Damian

comment:2 in reply to:  1 Changed 8 years ago by toruser32

Replying to atagar:

I'm not following - you're thinking that you'd pipe the netstat output to a file as a cron task then have arm read it? That is to say, every so often running...
sudo -u <tor user> netstat -np | grep "ESTABLISHED <pid>/<process>" > /path/to/file

then having arm read this as the connection results? This sounds like quite a hack to me but if you'd like to implement it then that's fine with me - let me know if you need any help. :)

-Damian

No, I would like to be able to specify my own resolver command that is executed by arm. That is, I'd add another options to armrc, e.g. queries.resolverfile. This entry links to a python (!) file that implements a simple class/function/whatever (I don't know python :( ). Arm passes the <pid> to this thingy, and the class/function/whatever returns the connections just like procTools.getConnections.

comment:3 Changed 8 years ago by toruser32

Resolution: wontfix
Status: newclosed

comment:4 Changed 8 years ago by atagar

The cron-write-to-file idea strikes me as being usable since it means that you only need a simple netstat task running with elevated permissions rather than all of arm. However, I don't really like this solution since...

  • it's a huge hack
  • the cron task would outlive the arm process
  • I doubt many (any?) users would take advantage of this feature

Here's the irc discussion just in case this gets reopened:
08:11 < toruser32> atagar, is my clarification in ticket 3396 feasible?
08:16 < atagar> toruser32: Arbitrary python execution? That sounds very dangerous to me.
08:17 < toruser32> yeah, but its up to the user to actually specify that
08:18 < toruser32> I'd rather consider this to be a user-specified add-on
08:21 < toruser32> atagar: is there any other method to query the active connection with arm being execute with a non-root, non-tor user?
08:21 < atagar> I don't think that this would be useful to anyone besides you and it spooks me (it means that if I can sneak evil code into your /tmp and somehow get you to run arm with a bad armrc very bad things happen). I agree that it's not a likely vector for problems, but makes my skin crawl.
08:21 < atagar> the method I suggested (piping the output to a file that's read) strikes me as being much safer and easier for users
08:23 < toruser32> well, thats yet another cron job. I don't like that :(
08:23 < toruser32> Either way, thanks
08:23 < toruser32> I will stick to running arm under the same user I use for tor
08:23 < toruser32> this should settle the problem
08:23 < toruser32> wontfix is fine for me
08:23 < atagar> np, sorry I don't have a better answer :/

Note: See TracTickets for help on using tickets.