Re: [tor-dev] Control-port filtering: can it have a reasonable threat model?

On Mon, Apr 3, 2017 at 6:39 PM, dawuud dawuud@riseup.net wrote:

It's worth noting that controllers able to run SETCONF can ask the tor process to execute arbitrary programs:

man torrc | grep exec

So if you want a controller to have any less privileges than the tor daemon does, you need a control port filter for SETCONF at the very least.

Yes, that is necessary. I question, however, whether it is sufficient.

Without a control port filter, what is the threat model of the ControlSocketsGroupWritable and CookieAuthFileGroupReadable options?

The same as with the rest of the control port: all authorized controllers have full control over the Tor process.

(Not saying it's a _good_ threat model, but there it is.)