Skip to content
GitLab
  • Menu
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • Tor Browser Tor Browser
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 681
    • Issues 681
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 2
    • Merge requests 2
  • Deployments
    • Deployments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • The Tor Project
  • Applications
  • Tor BrowserTor Browser
  • Issues
  • #24755
Closed
Open
Created Dec 28, 2017 by Trac@tracbot

Shell scripts refactoring and bash privacy leak. Heredoc should not be used in start-tor-browser script.

In most of shells (including bash) heredoc, i.e. << and <<<, is implemented through creation of temporary files in TMP. In the case of bash these are the files like /tmp/sh-thd-1234567890. This can be checked using the command [[https://unix.stackexchange.com/questions/21602/shell-programming-avoiding-tempfiles|[1]]]

sleep 3 <<<"here string" & lsof -p $! | grep 0r

Furthermore, these TMP files may remain if, e.g., shell script crashes. There were some complaints that these files are still accessible through file descriptors even after removal [[http://gnu-bash.2382.n7.nabble.com/bash-leaks-sh-np-NNN-files-and-pipes-in-tmp-when-command-substitution-is-used-td12719.html|[2]]], [[https://groups.google.com/forum/#!topic/gnu.bash.bug/qMjhPmg4OBw|[3]]].

Since TBB and similar applications are intended to be portable, they should not leave traces outside of their portable directory. However, bash commands in scripts like start-tor-browser may run when separate TMP for TBB is not yet set, i.e. system TMP (/tmp), which is not always mounted in memory, may be used. It means that traces (that TBB was used) will be created outside of TBB directory. This is a minor leak in comparison to en elephant [[https://trac.torproject.org/projects/tor/ticket/7449|7449]] (yet unfixed), but it is still a leak.

In general, if TMP for TBB is created before the use of heredoc command in script, it should be fine. However, as heredoc is potentially leaky and dangerous thing, it should be avoided in secure scripts. One could use simple echo command instead.

Now start-tor-browser has at least one cat <<EOF. AFAIK, tor-messenger also has this problem. By the way, in this case writing cat <<"EOF" (i.e. with quotation) is the safer alternative, as variables substitution will not be done, and substituted text will be verbatim. Moreover, new safer notation $(command) should be used instead of old-style command in start-tor-browser.

There are also other things in this script, which are often considered to be a bad practice. In particular,

  1. Multiple characters variables should be always in braces (${show_output} instead of $show_output).
  2. Quotation "" should be used everywhere and in all assignments.
  3. [[ and ]], as much safer alternative, should be used instead of [ and ]. I would refer to Google shell style guide [[https://google.github.io/styleguide/shell.xml|[4]]] as a good starting point to learn how to write secure shell scripts.

All these notes should be applied to all shell scripts within Tor Project.

Trac:
Username: asan

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking