[Pkg-privacy-maintainers] Bug#859125: RFP: onion-grater - Whitelisting Tor Control Protocol Filter

Patrick Schleizer adrelanos at riseup.net
Thu Mar 30 14:43:00 UTC 2017 

Package: wnpp
Severity: wishlist
X-Debbugs-CC: pkg-privacy-maintainers at lists.alioth.debian.org

* Package name    : onion-grater
  Version         : 3.0
  Upstream Author : anonym (Tails project)
* URL             : https://github.com/Whonix/onion-grater
* License         : GPL-3+
  Programming Lang: python3
  Description     : Whitelisting Tor Control Protocol Filter

long description:

Filters out Tor control protocol commands that are dangerous for
anonymity such as GETINFO ADDRESS using a whitelist. Acts as a proxy
between the client application and Tor.

use case:

onion-grater would be a great addition to Debian because it would
improve usability and security for users that use applications using
Tor's ControlPort.

onion-grater is a Tor ControlPort filter written by anonym (Tails
project) that has been packaged by Patrick Schleizer (Whonix project).
The packaged version of onion-grater depends on genmkfile.

At the moment users of applications such as onionshare and ricochet that
use Tor ephemeral hidden services will not work out of the box. This is
because, rightly so, user accounts to not have write access to Tor's
ControlSocket file /var/run/tor/control for security reasons.

Users have to add themselves to the debian-tor group by using "sudo
adduser user debian-tor" which is a usability issue (command line
required for otherwise easy to use applications) as well as a security
issue since then they have full unfiltered Tor ControlPort access from
their user account. (Unfiltered Tor ControlPort allows running commands
such as 'GETINFO address' which reveals one's real external IP address,
which is bad in case of application compromise since that is counter to
what users of Tor want.)

To work around this issue, onionshare started to depend on
torbrowser-launcher, because torbrowser-launcher would install the Tor
Browser Bundle and require that running since that would provide Tor
ControlPort access without having the user to add oneself to the
debian-tor group.

Once onion-grater was in Debian, onionshare could depend on
onion-grater. onion-grater could provide a unix domain socket file that
is readable and writeable by any application. onion-grater would enforce
proper filtered access. Then onionshare could ship a onion-grater
profile and use onion-grater.

This would improve usability, since the user would no longer have to add
oneself to the debian-tor group. onionshare and other applications would
work out of the box with no configuration required. It would also
improve security, since a compromised user account would only have
limited access to Tor's available control protocol commands.

If I understood this right, this approach found consensus among anonym
and intrigeri (Tails project), Micah Lee (onionshare) and me (Patrick
Schleizer, Whonix project).

onion-grater would also be installed by default in the derivatives of
Debian, Tails and Whonix.

packaging effort:

Hopefully very little. The /debian folder has already been implemented
and tested in Whonix (a derivative of Debian). The package is lintian
--pedantic clean. Since the package is rather simple, no compiled code,
just scripts, it should be already reproducible. Ideally, a Debian
Developer could easily build it and upload to Debian. Please tell me if
any changes are required to make it fit for inclusion into Debian.

license file:

https://github.com/Whonix/onion-grater/blob/master/debian/copyright

dependencies:

Just one dependency that is not in Debian yet. genmkfile [1]. But
hopefully easy to get into Debian?

building:

Should be as simple as three commands. apt-get installing the build and
runtime dependencies, creating an upstream tarball and then creating a
deb package.

sudo apt-get --yes --no-install-recommends install debhelper genmkfile
dh-systemd dh-apparmor adduser tor python3 python3-psutil python3-stem
python3-yaml python3-sdnotify

make dist

dpkg-buildpackage

Cheers,
Patrick

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859121

More information about the Pkg-privacy-maintainers mailing list