aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorJacob Appelbaum <jacob@appelbaum.net>2009-10-21 21:21:57 -0700
committerRoger Dingledine <arma@torproject.org>2009-10-27 04:28:40 -0400
commit2aac39a779c125dbc0cc510d0c306e9df83b33c4 (patch)
treefb6a968284cdd2e83525b1e459b22d65761562f4 /doc
parent56c2385157ee3fac81bb3f0c44fd933e0063ccde (diff)
downloadtor-2aac39a779c125dbc0cc510d0c306e9df83b33c4.tar.gz
tor-2aac39a779c125dbc0cc510d0c306e9df83b33c4.zip
Implement DisableAllSwap to avoid putting secret info in page files.
This commit implements a new config option: 'DisableAllSwap' This option probably only works properly when Tor is started as root. We added two new functions: tor_mlockall() and tor_set_max_memlock(). tor_mlockall() attempts to mlock() all current and all future memory pages. For tor_mlockall() to work properly we set the process rlimits for memory to RLIM_INFINITY (and beyond) inside of tor_set_max_memlock(). We behave differently from mlockall() by only allowing tor_mlockall() to be called one single time. All other calls will result in a return code of 1. It is not possible to change DisableAllSwap while running. A sample configuration item was added to the torrc.complete.in config file. A new item in the man page for DisableAllSwap was added. Thanks to Moxie Marlinspike and Chris Palmer for their feedback on this patch. Please note that we make no guarantees about the quality of your OS and its mlock/mlockall implementation. It is possible that this will do nothing at all. It is also possible that you can ulimit the mlock properties of a given user such that root is not required. This has not been extensively tested and is unsupported. I have included some comments for possible ways we can handle this on win32.
Diffstat (limited to 'doc')
-rw-r--r--doc/tor.1.in13
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/tor.1.in b/doc/tor.1.in
index 739b889fb5..1a71026aad 100644
--- a/doc/tor.1.in
+++ b/doc/tor.1.in
@@ -234,6 +234,19 @@ the default hidden service authorities, but not the directory or
bridge authorities.
.LP
.TP
+\fBDisableAllSwap \fR\fB0\fR|\fB1\fR\fP
+If set to 1, Tor will attempt to lock all current and future memory pages.
+On supported platforms, this should effectively disable any and all attempts
+to page out memory. Under the hood, DisableAllSwap uses mlockall() on unix-like
+platforms. Windows is currently unsupported. We believe that this feature works
+on modern Gnu/Linux distributions. Mac OS X appears to be broken by design. On
+reasonable *BSD systems it should also be supported but this is untested. This
+option requires that you start your Tor as root. If you use DisableAllSwap,
+please consider using the User option to properly reduce the privileges of
+your Tor.
+(Default: 0)
+.LP
+.TP
\fBFetchDirInfoEarly \fR\fB0\fR|\fB1\fR\fP
If set to 1, Tor will always fetch directory information like other
directory caches, even if you don't meet the normal criteria for