[tor] Re: syncing MyFamily and ExitPolicy
- From: Jim <jimmymac@xxxxxxxxxx>
- To: torservers@xxxxxxxxxxxxx
- Date: Wed, 06 Apr 2011 19:56:12 -0600
Moritz Bartl wrote:
> Why not give the SSH user limited SUDO rights for /etc/init.d/tor , and
> add it to the group that can edit /etc/tor/* ?
>
> I think it should be better discussed on IRC, the mailing list should
> not be spammed to much IMHO. We have a lot of subscribers that are not
> interested in the gory tech details I believe.
Just a quick comment for this list since "I don't do IRC" (and I don't
have much technical to add anyway). I just wanted to point out that
when you do public key authentication on SSH, you can restrict which
command can be run. If that command is a script that can only change
MyFamily data then you have significantly reduced damage that can be
done by an attacker. You can also add an option that limits which host
names (obtained via reverse DNS) are allowed to execute that command.
(Reverse DNS can be compromised, but that is one additional hoop for the
attacker to jump through.)
Just a thought ...
Jim
Other related posts:
