On Fri, 28 Jan 2022 19:58:49 -0700 David Fifield <[email protected]> wrote:
> > On the matter of onion key rotation, I had the idea of making the onion key > > files read-only. Roger did some source code investigation and said that it > > might work to prevent onion key rotation, with some minor side effects. I > > plan to give the idea a try on a different bridge. The possible side > > effects are that tor will continue trying and failing to rotate the onion > > key every hour, and "force a router descriptor rebuild, so it will try to > > publish a new descriptor each hour." > > Making secret_onion_key and secret_onion_key_ntor read-only does not quite > work, because tor first renames them to secret_onion_key.old and > secret_onion_key_ntor.old before writing new files. (Making the *.old files > read-only does not work either, because the `tor_rename` function first > unlinks the destination.) > https://gitweb.torproject.org/tor.git/tree/src/feature/relay/router.c?h=tor-0.4.6.9#n497 > > But a slight variation does work: make secret_onion_key.old and > secret_onion_key_ntor.old *directories*, so that tor_rename cannot rename a > file over them. It does result in an hourly `BUG` stack trace, but otherwise > it seems effective. > > I did a test with two tor instances. The rot1 instance had the directory hack > to prevent onion key rotation. The rot2 had nothing to prevent onion key > rotation. I did not follow the thread closely, but if you want a file or directory contents unchangeable, and not allowed to rename/delete even by root, there's the "immutable" attribute (chattr +i). -- With respect, Roman _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
