summaryrefslogtreecommitdiff
path: root/doc/control-spec.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/control-spec.txt')
-rw-r--r--doc/control-spec.txt40
1 files changed, 31 insertions, 9 deletions
diff --git a/doc/control-spec.txt b/doc/control-spec.txt
index b1ef21e212..1a886e5889 100644
--- a/doc/control-spec.txt
+++ b/doc/control-spec.txt
@@ -19,8 +19,8 @@ forward-compatible.
TC is a bidirectional message-based protocol. It assumes an underlying
stream for communication between a controlling process (the "client") and
a Tor process (the "server"). The stream may be implemented via TCP,
-TLS-over-TCP, a Unix pipe, or so on. For security, the stream should not be
-observable by untrusted parties.
+TLS-over-TCP, a Unix-domain socket, or so on. For security, the stream
+should not be observable by untrusted parties.
In TC, the client and server send typed variable-length messages to one
another over the underlying stream. By default, all messages from the server
@@ -76,14 +76,17 @@ the message.
3.4. GETCONF (Type 0x0003)
- Request the value of a configuration variable. The body contains a
- nul-terminated string for a configuration key. The server replies with a
- CONFVALUE message.
+ Request the value of a configuration variable. The body contains one or
+ more nul-terminated strings for configuration keys. The server replies
+ with a CONFVALUE message.
3.5. CONFVALUE (Type 0x0004)
- Sent in response to a GETCONF message; contains a nul-terminated key string
- and a nul-terminated value string.
+ Sent in response to a GETCONF message; contains a list of nul-terminated
+ key strings followed by nul-terminated value strings.
+
+ [XXXX note that you'll get more keys than you expect with things like
+ loglevel.]
3.6. SETEVENTS (Type 0x0005)
@@ -143,8 +146,27 @@ the message.
4. Implementation notes
-On Unix, we should use a named pipe on the fs and use filesystem privileges
-to authenticate. On Win32, a password/magic cookie may be in order.
+There are four ways we could authenticate, for now:
+
+ 1) Listen on 127.0.0.1; trust all local users.
+
+ 2) Write a named socket in tor's data-directory or in some other location;
+ rely on the OS to ensure that only authorized users can open it. (NOTE:
+ the Linux unix(7) man page suggests that some BSDs don't enforce
+ authorization.) If the OS has named sockets, and implements
+ authentication, trust all users who can read Tor's data directory.
+
+ 3) Write a random magic cookie to the FS in Tor's data-directory; use that
+ magic cookie for authentication. Trust all users who can read Tor's data
+ directory.
+
+ 4) Store a salted-and-hashed passphrase in Tor's configuration. Use the
+ passphrase for authentication. Trust all users who know the passphrase.
+
+
+On Win32, our only options are 1, 3, and 4. Since the semantics for 2 and 3
+are so similar, I'm recommending that we not support 2, and just always bind
+on 127.0.0.1. I've implemented 3 and 4; 1 would be trivial. -NM
-----------
(for emacs)