[or-cvs] Update control-spec.txt; some minor changes; more thoughts ...
Nick Mathewson
nickm at seul.org
Wed Nov 3 19:57:45 UTC 2004
Update of /home/or/cvsroot/doc
In directory moria.mit.edu:/tmp/cvs-serv16954/doc
Modified Files:
control-spec.txt
Log Message:
Update control-spec.txt; some minor changes; more thoughts on authentication
Index: control-spec.txt
===================================================================
RCS file: /home/or/cvsroot/doc/control-spec.txt,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- control-spec.txt 3 Nov 2004 01:32:26 -0000 1.3
+++ control-spec.txt 3 Nov 2004 19:57:43 -0000 1.4
@@ -19,8 +19,8 @@
TC is a bidirectional message-based protocol. It assumes an underlying
stream for communication between a controlling process (the "client") and
a Tor process (the "server"). The stream may be implemented via TCP,
-TLS-over-TCP, a Unix pipe, or so on. For security, the stream should not be
-observable by untrusted parties.
+TLS-over-TCP, a Unix-domain socket, or so on. For security, the stream
+should not be observable by untrusted parties.
In TC, the client and server send typed variable-length messages to one
another over the underlying stream. By default, all messages from the server
@@ -76,14 +76,17 @@
3.4. GETCONF (Type 0x0003)
- Request the value of a configuration variable. The body contains a
- nul-terminated string for a configuration key. The server replies with a
- CONFVALUE message.
+ Request the value of a configuration variable. The body contains one or
+ more nul-terminated strings for configuration keys. The server replies
+ with a CONFVALUE message.
3.5. CONFVALUE (Type 0x0004)
- Sent in response to a GETCONF message; contains a nul-terminated key string
- and a nul-terminated value string.
+ Sent in response to a GETCONF message; contains a list of nul-terminated
+ key strings followed by nul-terminated value strings.
+
+ [XXXX note that you'll get more keys than you expect with things like
+ loglevel.]
3.6. SETEVENTS (Type 0x0005)
@@ -143,8 +146,27 @@
4. Implementation notes
-On Unix, we should use a named pipe on the fs and use filesystem privileges
-to authenticate. On Win32, a password/magic cookie may be in order.
+There are four ways we could authenticate, for now:
+
+ 1) Listen on 127.0.0.1; trust all local users.
+
+ 2) Write a named socket in tor's data-directory or in some other location;
+ rely on the OS to ensure that only authorized users can open it. (NOTE:
+ the Linux unix(7) man page suggests that some BSDs don't enforce
+ authorization.) If the OS has named sockets, and implements
+ authentication, trust all users who can read Tor's data directory.
+
+ 3) Write a random magic cookie to the FS in Tor's data-directory; use that
+ magic cookie for authentication. Trust all users who can read Tor's data
+ directory.
+
+ 4) Store a salted-and-hashed passphrase in Tor's configuration. Use the
+ passphrase for authentication. Trust all users who know the passphrase.
+
+
+On Win32, our only options are 1, 3, and 4. Since the semantics for 2 and 3
+are so similar, I'm recommending that we not support 2, and just always bind
+on 127.0.0.1. I've implemented 3 and 4; 1 would be trivial. -NM
-----------
(for emacs)
More information about the tor-commits
mailing list