search

nyxnor / tor-ctrl

Raw use of tor's controller
Other
5 stars 3 forks source link

[DISCUSSION] try connecting to all control sockets found? #16

Closed nyxnor closed 2 years ago

nyxnor commented 2 years ago

Is it dangerous? Not sure.

tor-ctrl fails on TailsOS if letting it get the first socket because /run/tor/control, even though the permissions are the same as on debian (srw-rw----) and conf:

ControlSocket /run/tor/control GroupWritable RelaxDirModeCheck
ControlSocketsGroupWritable 1

files:

tests:

amnesia@amnesia:~/tor-ctrl$ tor-ctrl SIGNAL NEWNYM
nc: unix connect failed: Permission denied
tor-ctrl: nc: Connetion refused to /run/tor/control

amnesia@amnesia:~/tor-ctrl$ tor-ctrl -s /run/tor/control SIGNAL NEWNYM
nc: unix connect failed: Permission denied
tor-ctrl: nc: Connetion refused to /run/tor/control

amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s /run/tor/control SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
250 OK
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo tor-ctrl -s /run/tor/control SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
250 OK
250 closing connection

amnesia@amnesia:~/tor-ctrl$ tor-ctrl -s 9051 SIGNAL NEWNYM
250 OK
510 Command filtered
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo tor-ctrl -s 9051 SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
510 Command filtered
250 closing connection

Also the torrc is owned by user and group debian-tor, so even though on /lib/systemd/system/tor@default.service has --defaults-torrc and -f (ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0), it wil never read /etc/tor/torrc because it will receive permission denied because /lib/systemd/system/tor@default.service.d/writable-etc-tor.conf has:

[Service]

# SAVECONF requires tor to be allowed to modify its own configuration
ProtectSystem=yes
ReadWriteDirectories=-/etc/tor

and /etc/apparmor.d/system_tor giver permission to tor to write to /etc/tor: /etc/tor/* w,

and running --verify-config:

tor --verify-config --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc
[redacted]
[notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
[warn] Could not open "/etc/tor/torrc": Permission denied
[warn] Unable to open configuration file "/etc/tor/torrc".
[err] Reading config failed--see warnings above.

and on /etc/tor/torrc, the control socket set there is ControlPort 127.0.0.1:9052. Which is only connectable if run as the tor user or root:

amnesia@amnesia:~/tor-ctrl$ tor-ctrl -s 9052 SIGNAL NEWNYM
tor-ctrl: nc: Connetion refused to 127.0.0.1:9052

amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s 9052 SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
250 OK
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo tor-ctrl -s 9052 SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
250 OK
250 closing connection

amnesia@amnesia:~/tor-ctrl$ tor-ctrl -s 9052 GETCONF User
tor-ctrl: nc: Connetion refused to 127.0.0.1:9052

amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s 9052 GETCONF User
[sudo] password for amnesia:     
250 OK
250 User=debian-tor
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo tor-ctrl -s 9052 GETCONF User
[sudo] password for amnesia:     
250 OK
250 User=debian-tor
250 closing connection

And even though the I couldn't find the ControlPort 127.0.0.1:9051 on any configuration file that tor starts with:

amnesia@amnesia:~/tor-ctrl$ sudo grep -E "^ControlPort [^ ]*|^ControlSocket [^ ]*" /usr/share/tor/tor-service-defaults-torrc /etc/tor/torrc
[sudo] password for amnesia:     
/usr/share/tor/tor-service-defaults-torrc:ControlSocket /run/tor/control GroupWritable RelaxDirModeCheck
/etc/tor/torrc:ControlPort 127.0.0.1:9052

the command is filtered on port 9051 even if running as root or the tor user:

amnesia@amnesia:~/tor-ctrl$ tor-ctrl -s 9051 SIGNAL NEWNYM
250 OK
510 Command filtered
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo tor-ctrl -s 9051 SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
510 Command filtered
250 closing connection

amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s 9051 SIGNAL NEWNYM
[sudo] password for amnesia:     
250 OK
510 Command filtered
250 closing connection

Tails filter commands on port 9051 (and can be run as the user amnesia), but not on port 9052 (which can only be used as the tor user or root)

Besides the filter port 9051, it does not work as expected, signal newnym does not change the circuits, but on 9052, which is not filtered, it works. Tested using:

curl -x socks5h://127.0.0.1:9050 https://check.torproject.org/api/ip

sudo -u debian-tor tor-ctrl -s 9051 signal newnym

curl -x socks5h://127.0.0.1:9050 https://check.torproject.org/api/ip

sudo -u debian-tor tor-ctrl -s 9052 signal newnym

curl -x socks5h://127.0.0.1:9050 https://check.torproject.org/api/ip

So, I could cycle the available control sockets trying to connect to all of them, and if any connect, use it, else fail obviously. Using multiple control ports/sockets means that every socket can be used to connect to the controller, so why not? tor-ctrl is alreday

nyxnor commented 2 years ago

so on tails, to run tor-ctrl, need to run it as the tor user (debian-tor)

this uses /run/tor/control:

amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl GETCONF User
[sudo] password for amnesia:     
250 OK
250 User=debian-tor
250 closing connection

and port 9052:

amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s 9052 GETCONF User
[sudo] password for amnesia:     
250 OK
250 User=debian-tor
250 closing connection

port 9051 does not work:

amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s 9051 GETCONF User
[sudo] password for amnesia:     
250 OK
510 Command filtered
250 closing connection

the filter in fact blocks it, it is not even sent to the controller as tested with SIGNAL NEWNYM.

nyxnor commented 2 years ago

the problem was not the socket, any socket should work, the problem is by whom they are owned and if owned by another user, such as the tor user, need to run tor-ctrl as the tor user. Documenting this.