Hi, Alan wrote (01 Mar 2015 18:26:28 GMT) : > Here is a diagram on what I though for more privilege separation:
> control socket > Tor <----------------> TorMonitorD > ^ > debian-tor user | > .............................DBus............................ > desktop user syetem bus > / \ > / \ > gnome-shell Tor Monitor > tor monitor application > extension > Pros: > - only one connection to the Tor daemon We also get this advantage if whatever info other parts of the Tails desktop need is provided by the Tor Monitor process itself. > - better isolation between the controller and X ... but we're introducing yet another large pile of code, which relies on an even larger pile of underlying libraries, and which 1. can fully control Tor; 2. exposes lots of interfaces (including those that the Tor Monitor GUI itself needs) to any process running on the system. So, assuming we went this way, I'd want to have TorMonitorD talk to the Tor control port via our filtering proxy. And then, we can as well have Tor Monitor do the same, with basically the same security advantages + way less code and complexity. And the set of interfaces that it needs to expose on the system bus to unprivileged processes will be much smaller. (Also note that nothing forces us — I hope — to run Tor Monitor as the `amnesia' user: instead, we can run it as a dedicated user, just like we're currently doing for Vidalia.) Cheers, -- intrigeri _______________________________________________ Tails-dev mailing list [email protected] https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to [email protected].
