Hi,
Alan wrote (01 Mar 2015 18:26:28 GMT) :
> Here is a diagram on what I though for more privilege separation:
> control socket
> Tor <----------------> TorMonitorD
> ^
> debian-tor user |
> .............................DBus............................
> desktop user syetem bus
> / \
> / \
> gnome-shell Tor Monitor
> tor monitor application
> extension
> Pros:
> - only one connection to the Tor daemon
We also get this advantage if whatever info other parts of the Tails
desktop need is provided by the Tor Monitor process itself.
> - better isolation between the controller and X
... but we're introducing yet another large pile of code, which relies
on an even larger pile of underlying libraries, and which 1. can fully
control Tor; 2. exposes lots of interfaces (including those that the
Tor Monitor GUI itself needs) to any process running on the system.
So, assuming we went this way, I'd want to have TorMonitorD talk to
the Tor control port via our filtering proxy. And then, we can as well
have Tor Monitor do the same, with basically the same security
advantages + way less code and complexity. And the set of interfaces
that it needs to expose on the system bus to unprivileged processes
will be much smaller.
(Also note that nothing forces us — I hope — to run Tor Monitor as the
`amnesia' user: instead, we can run it as a dedicated user, just like
we're currently doing for Vidalia.)
Cheers,
--
intrigeri
