This makes post-exploitation activities harder, in case the local Tor
instance has been compromised. It is worth noticing that Tor won't
respond to a "GETINFO address" command on the control port if sandboxed,
but our CGI does not make use of it, and neither is any legitimate
service on IPFire doing so.
Tested on a small middle relay running on an IPFire machine.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
open(FILE, ">$torrc");
# Global settings.
open(FILE, ">$torrc");
# Global settings.
+ print FILE "Sandbox 1\n";
print FILE "ControlPort $TOR_CONTROL_PORT\n";
if ($settings{'TOR_ENABLED'} eq 'on') {
print FILE "ControlPort $TOR_CONTROL_PORT\n";
if ($settings{'TOR_ENABLED'} eq 'on') {