On Feb 10, 2012, at 12:02 AM, Robert Ransom wrote:
The sole exception to ‘non-safe cookie authentication must die’ is when a controller knows that it is connected to a server process with equal or greater access to the same filesystem it has access to. In practice, this means ‘only if you're completely sure that Tor is running in the same user account as the controller, and you're completely sure that you're connected to Tor’, and no controller is sure of either of those.
Why is it so hard to do this? Can't we tell controllers to do a check of permissions, and only if they can't be sure refuse to use the requested path by default unless a config whitelist or user prompt allows it? I think that's a lot easier to implement for controllers, and I just don't really see the huge threat here. If you have malicious system-wide software on your host, you lost anyway.