[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfire-development
Subject: [PATCH 1/4] Tor: Enable syscall sandbox
From: Peter_Müller <peter.mueller () ipfire ! org>
Date: 2021-09-25 7:07:58
Message-ID: c3117283-a083-01ad-0649-05da5bfa8b0d () ipfire ! org
[Download RAW message or body]
This makes post-exploitation activities harder, in case the local Tor
instance has been compromised. It is worth noticing that Tor won't
respond to a "GETINFO address" command on the control port if sandboxed,
but our CGI does not make use of it, and neither is any legitimate
service on IPFire doing so.
Tested on a small middle relay running on an IPFire machine.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
html/cgi-bin/tor.cgi | 1 +
1 file changed, 1 insertion(+)
diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi
index 3349336ae..ce579aec1 100644
--- a/html/cgi-bin/tor.cgi
+++ b/html/cgi-bin/tor.cgi
@@ -730,6 +730,7 @@ sub BuildConfiguration() {
open(FILE, ">$torrc");
# Global settings.
+ print FILE "Sandbox 1\n";
print FILE "ControlPort $TOR_CONTROL_PORT\n";
if ($settings{'TOR_ENABLED'} eq 'on') {
--
2.26.2
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic