webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Tor: Enable syscall sandbox

Browse Source 
This makes post-exploitation activities harder, in case the local Tor
instance has been compromised. It is worth noticing that Tor won't
respond to a "GETINFO address" command on the control port if sandboxed,
but our CGI does not make use of it, and neither is any legitimate
service on IPFire doing so.

Tested on a small middle relay running on an IPFire machine.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This commit is contained in:
Peter Müller
2021-09-25 09:07:58 +02:00
committed by Arne Fitzenreiter
parent 0e0c1a8aec
commit 0b6a2e761b
1 changed files with 1 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
html/cgi-bin/tor.cgi
View File

@@ -730,6 +730,7 @@ sub BuildConfiguration() {
open(FILE, ">$torrc");
# Global settings.
print FILE "Sandbox 1\n";
print FILE "ControlPort $TOR_CONTROL_PORT\n";
if ($settings{'TOR_ENABLED'} eq 'on') {