Hi, I've had a look at the rewritten branch, at commit 7d0ea0b.
> root ALL = (tor-launcher) NOPASSWD: /usr/bin/tor-launcher What is this useful for? root can already run any command as any user without password, no? > amnesia ALL = (root) NOPASSWD: /usr/local/sbin/tails-tor-launcher It could be worth restricting the arguments that amnesia can pass to this command. That would be none, or --force-net-config, right? See config/chroot_local-includes/etc/sudoers.d/zzz_upgrade in the feature/6508-incremental-upgrades-phase-four branch for an example of such locking down I've recently done. In /usr/local/sbin/tails-tor-launcher, I'd rather see the four instances of: VAR=value export VAR ... written "export VAR=value" instead, but that's purely a matter of personal taste, and I don't care much. > touch /etc/authbind/byport/53 > chgrp debian-tor /etc/authbind/byport/53 > chmod g=x /etc/authbind/byport/53 Nowadays, I would instead write: install --group=debian-tor --mode=0710 /dev/null /etc/authbind/byport/53 ... but again, purely a matter of personal taste. > $NICE \ > $AA_EXEC \ > - --exec $DAEMON -- $AA_EXEC_ARGS $DEFAULT_ARGS $ARGS > + --exec /usr/bin/authbind -- $DAEMON $AA_EXEC_ARGS > $DEFAULT_ARGS $ARGS Any reason why /usr/bin/authbind is not grouped with the other prefix commands ($NICE and $AA_EXEC), instead of being part of the arguments passed to --exec? > Don't ever run Vidalia with -bridgeconf. So we could update our Vidalia package: 1. to drop vidalia-bridgeconf.patch: not needed anymore 2. to hide bridge settings (either in tails-remove-useless-controls.patch, or with a new patch, whatever is more practical) I guess #1 is not a blocker, but I'm unsure about #2. What happens if a user changes bridges settings in Vidalia, after having set it in Tor Launcher? And after *not* having set it in Tor Launcher? (And if we address #2, implementing #1 as well does not add more than a few minutes of work.) That's all for now :) Cheers! -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc _______________________________________________ tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
