This makes post-exploitation activities harder, in case the local Tor instance has been compromised. It is worth noticing that Tor won't respond to a "GETINFO address" command on the control port if sandboxed, but our CGI does not make use of it, and neither is any legitimate service on IPFire doing so.
Tested on a small middle relay running on an IPFire machine.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- html/cgi-bin/tor.cgi | 1 + 1 file changed, 1 insertion(+)
diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index 3349336ae..ce579aec1 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -730,6 +730,7 @@ sub BuildConfiguration() { open(FILE, ">$torrc");
# Global settings. + print FILE "Sandbox 1\n"; print FILE "ControlPort $TOR_CONTROL_PORT\n";
if ($settings{'TOR_ENABLED'} eq 'on') {
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- html/cgi-bin/tor.cgi | 1 + 1 file changed, 1 insertion(+)
diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index ce579aec1..2b0d93336 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -731,6 +731,7 @@ sub BuildConfiguration() {
# Global settings. print FILE "Sandbox 1\n"; + print FILE "HardwareAccel 1\n"; print FILE "ControlPort $TOR_CONTROL_PORT\n";
if ($settings{'TOR_ENABLED'} eq 'on') {
We currently don't have IPv6 in vanilla IPFire 2.x installations, hence there is no sense in letting Tor finding out IPv6 connectivity.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- html/cgi-bin/tor.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index 2b0d93336..8ecef5d9c 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -802,10 +802,10 @@ sub BuildConfiguration() { # Reject access to private networks. print FILE "ExitPolicyRejectPrivate 1\n";
- print FILE "ORPort $settings{'TOR_RELAY_PORT'}\n"; + print FILE "ORPort $settings{'TOR_RELAY_PORT'} IPv4Only\n";
if ($settings{'TOR_RELAY_DIRPORT'} ne '0') { - print FILE "DirPort $settings{'TOR_RELAY_DIRPORT'}\n"; + print FILE "DirPort $settings{'TOR_RELAY_DIRPORT'} IPv4Only\n"; }
if ($settings{'TOR_RELAY_ADDRESS'} ne '') {
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- html/cgi-bin/tor.cgi | 2 +- lfs/tor | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index 8ecef5d9c..539a74343 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # diff --git a/lfs/tor b/lfs/tor index 56280b936..7aaad07d3 100644 --- a/lfs/tor +++ b/lfs/tor @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 63 +PAK_VER = 64
DEPS = libseccomp
Hello,
Can you elaborate a little bit more on this?
Tor is using OpenSSL which by default should use RDRAND, AES-NI (if applicable) and so on.
What does this option change?
-Michael
On 25 Sep 2021, at 08:08, Peter Müller peter.mueller@ipfire.org wrote:
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/tor.cgi | 1 + 1 file changed, 1 insertion(+)
diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index ce579aec1..2b0d93336 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -731,6 +731,7 @@ sub BuildConfiguration() {
# Global settings. print FILE "Sandbox 1\n";
print FILE "HardwareAccel 1\n"; print FILE "ControlPort $TOR_CONTROL_PORT\n";
if ($settings{'TOR_ENABLED'} eq 'on') {
-- 2.26.2
Hello Michael,
thanks for your reply.
To quote from Tor's manpage (see https://2019.www.torproject.org/docs/tor-manual.html.en#HardwareAccel for an online version of it):
HardwareAccel 0|1 If non-zero, try to use built-in (static) crypto hardware acceleration when available. Can not be changed while tor is running. (Default: 0)
Even if it is available, Tor does not use hardware crypto acceleration by default. While I consider this a reasonable default for Tor users not trusting their hardware, we agreed on doing so a while ago (https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=13eab1060d0474ddf413386d...).
Therefore, this needs to be enabled explicitly, which is what this patch is good for. :-)
I hope to have your question answered.
Thanks, and best regards, Peter Müller
Hello,
Can you elaborate a little bit more on this?
Tor is using OpenSSL which by default should use RDRAND, AES-NI (if applicable) and so on.
What does this option change?
-Michael
On 25 Sep 2021, at 08:08, Peter Müller peter.mueller@ipfire.org wrote:
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/tor.cgi | 1 + 1 file changed, 1 insertion(+)
diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index ce579aec1..2b0d93336 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -731,6 +731,7 @@ sub BuildConfiguration() {
# Global settings. print FILE "Sandbox 1\n";
print FILE "HardwareAccel 1\n"; print FILE "ControlPort $TOR_CONTROL_PORT\n";
if ($settings{'TOR_ENABLED'} eq 'on') {
-- 2.26.2
Thank you for clearing this up for me.
-Michael
On 4 Oct 2021, at 11:49, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael,
thanks for your reply.
To quote from Tor's manpage (see https://2019.www.torproject.org/docs/tor-manual.html.en#HardwareAccel for an online version of it):
HardwareAccel 0|1 If non-zero, try to use built-in (static) crypto hardware acceleration when available. Can not be changed while tor is running. (Default: 0)Even if it is available, Tor does not use hardware crypto acceleration by default. While I consider this a reasonable default for Tor users not trusting their hardware, we agreed on doing so a while ago (https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=13eab1060d0474ddf413386d...).
Therefore, this needs to be enabled explicitly, which is what this patch is good for. :-)
I hope to have your question answered.
Thanks, and best regards, Peter Müller
Hello, Can you elaborate a little bit more on this? Tor is using OpenSSL which by default should use RDRAND, AES-NI (if applicable) and so on. What does this option change? -Michael
On 25 Sep 2021, at 08:08, Peter Müller peter.mueller@ipfire.org wrote:
Signed-off-by: Peter Müller peter.mueller@ipfire.org
html/cgi-bin/tor.cgi | 1 + 1 file changed, 1 insertion(+)
diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index ce579aec1..2b0d93336 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -731,6 +731,7 @@ sub BuildConfiguration() {
# Global settings. print FILE "Sandbox 1\n";
print FILE "HardwareAccel 1\n"; print FILE "ControlPort $TOR_CONTROL_PORT\n";
if ($settings{'TOR_ENABLED'} eq 'on') {
-- 2.26.2
-
Michael Tremer -
Peter Müller