I created a separate repo because it has nothing to do with tor-ctrl, it is for editing the torrc or any other tor configuration file (excluding files inside HiddenServiceDir/authorized_clients and ClientOnionAuthDir or course). Just the tor run commands file.
1 Like
This would become:
lxsudo sudo -u "$(whoami)" env VISUAL="$VISUAL" vitor -u debian-tor /usr/local/etc/torrc.d/50_user.conf
1 Like
How would it work if started from start menu if there is no terminal output available?
1 Like
I see the problem now if no terminal is opened, can you instruct on how to do a gui like application such as GitHub - adrelanos/sdwdate-gui: Grapical User Interface (gui), Systray Icon for for sdwdate for this case? I will read the code nonetheless.
This will lead to two repos, one with gui and other without as it happens on sdwdate.
1 Like
I am not much of a GUI developer. I can maintain / bugfix things but I think didn’t invent a sophisticated GUI from scratch myself yet. The GUI applications by Whonix where contributed by other developers.
add anon-verify and torrc-parser. Anon-info maybe because it is only for debian hosts, or include on installation if debian system is detected.
rename vitor to a broader name to serve tor configuration files checker/parser/verifier.
Adrelanos, what is the reason for a part of the script to be in /usr/libexec?
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s07.html
1 Like
Have not commited changes to github, but I am discussing with myself there.
Some fixes being done, if any new feature is wanted, just open an issue.
1 Like
Specifically why /usr/libexec and not some other folder? If some other folder, which one? Debian’s lintian complained about /usr/lib being the wrong location.
Or why is it split into two folders? Not sure what @iry had in mind. Perhaps sourceing that script from other scripts but that didn’t happen yet. So could also be all in 1 file, I guess.
1 Like
Asked on IRC if TPO has interest in producing a vitor, visudo for tor, if they reply something, I will post here, if not, then at least I tried.
1 Like
To keep vitor safe, I was studying some of sudoedit and visudo security features. I don’t know if I can tackle then all but some of vitor functionality and features are based on this tools for safety, as I am more than sure those developers have spent much more time hardening over the years than vitor has with its few months.
Sudoedit
To help prevent the editing of unauthorized files, the fol‐
lowing restrictions are enforced unless explicitly allowed by
the security policy:
Let’s take it bit by bit.
• Symbolic links may not be edited (version 1.8.15 and
higher).
The file could be not created yet, but if the file exists -e, then vitor should test if it is a regular file -f.
• Symbolic links along the path to be edited are not fol‐
lowed when the parent directory is writable by the invok‐
ing user unless that user is root (version 1.8.16 and
higher).
Isn’t symlinks going to be blocked anyway?
• Files located in a directory that is writable by the in‐
voking user may not be edited unless that user is root
(version 1.8.16 and higher).
Why is this a security feature on sudoedit? What does it protect? Using privileges when not needed? The torrc is owned either by root or debian-tor, so you will need privilege. But if you are in the tor group, this feature is to guard against an attack exploiting the editor you are using with shell escapes? Anyway, using sudo/doas to copy the file and the normal user to edit the file.
Note that unlike most commands run by sudo, the editor is run
with the invoking user’s environment unmodified.
Done in vitor.
If the temporary file becomes empty after editing, the user will be
prompted before it is installed.
Not done, I don’t see a reason, maybe this is my pov.
If, for some reason, sudo is unable to update a file with its edited version, the user will receive a warning and the edited copy will remain in a temporary file.
Done in vitor.
visudo
In addition to reporting sudoers syntax errors, visudo may produce the
following messages:
sudoers file busy, try again later.
Someone else is currently editing the sudoers file.
This is done in vitor, more like a info feature than a security feature.
As the file name may vary because of mktemp, the file.lck is displayed so you can know the path to delete the lock if you know it is a bug.
1 Like
Excellent!
1 Like
test -L filename
…checks symlinks.
1 Like
I was thinking of just checking if the file is a regular, because that would block all others types of files.
pure-bash-bible - file conditionals
-bblock special file-ccharacter special file-ddirectory-h,-Lsymbolic link-pnamed pipe-topen file descriptor-Ssocket
From all of the file alternatives, I don’t think vitor should edit anything that is not a a -f regular file. What do you think?
That is OK.
Pointing out “it’s a symlink” would be good for usability. If you like implementing this. Small usability gain.
if test -L /path/to/filename ; then
echo something
fi
1 Like
More answers to come soon, probably.
Yes, edit regular file only.
1 Like
Well, a lot of this is for quite advanced threat models. The problem is, while many geeks assume that threat model, I haven’t seen it fully spelled out.
It’s for very nuanced, advanced threat models. See:
There are good arguments between “all sudo is security theater”, “malware running under user account is as good as root compromise” as well as
So in case of editing a torrc file on the gateway (maybe even any Debian) it’s hard to come up with a realistic threat where this would prevent security compromise.
1 Like
Pointing out “it’s a symlink” would be good for usability. If you like implementing this. Small usability gain.
Done with info messages.
So in case of editing a torrc file on the gateway (maybe even any Debian) it’s hard to come up with a realistic threat where this would prevent security compromise.
Yeah, no way to cover all possible security ground. What could be done was done.
1 Like
Vitor is not gonna be included by TPO because now they are focusing on Rust for Arti, so unless someone contributes, it is not gonna happen upstream.
1 Like