From 0b6a2e761bc14d90725beda5b31f1637a599d163 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Peter=20M=C3=BCller?= Date: Sat, 25 Sep 2021 09:07:58 +0200 Subject: [PATCH] Tor: Enable syscall sandbox MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit This makes post-exploitation activities harder, in case the local Tor instance has been compromised. It is worth noticing that Tor won't respond to a "GETINFO address" command on the control port if sandboxed, but our CGI does not make use of it, and neither is any legitimate service on IPFire doing so. Tested on a small middle relay running on an IPFire machine. Signed-off-by: Peter Müller Signed-off-by: Arne Fitzenreiter --- html/cgi-bin/tor.cgi | 1 + 1 file changed, 1 insertion(+) diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi index 3349336aea..ce579aec11 100644 --- a/html/cgi-bin/tor.cgi +++ b/html/cgi-bin/tor.cgi @@ -730,6 +730,7 @@ sub BuildConfiguration() { open(FILE, ">$torrc"); # Global settings. + print FILE "Sandbox 1\n"; print FILE "ControlPort $TOR_CONTROL_PORT\n"; if ($settings{'TOR_ENABLED'} eq 'on') { -- 2.39.5