Hi anonymous user,
On Mon, 31 Jul 2023 11:25:54 +0000 [email protected] wrote:
Package: tor Version: 0.4.7.13-1 Severity: grave
Dear Maintainer,
please do not autostart the tor system service immediately after installing
it using `apt install tor`.
Current behavior reveals that the user installed the tor package, because
connections to the tor network start immediately after the package is
installed. This is problematic for a great many reasons. If apt is configured
Which are those reasons that warrant RC status of this bug? If I install tor,
I'm bound to use it, otherwise I wouldn't do it.
to use https sources, then it is unlikely a network observer would know that
the tor package was being downloaded (unless they can correlate the size of
the download with the package size of tor and dependencies, and even that is
not a definitive proof).
This has already been proven feasible, since the byte sizes of the packages are
public knowledge. Also, a network observer will see you have installed when you
use it. So I don't see a privacy/security breach here.
Users don't expect the tor service to start immediately after installing it,
nor do they expect it to start automatically on every boot of their system.
If users even want to use the tor service, then they generally configure it
first before autostarting it (to setup bridges for example).
Indeed, in the case of a setting up a tor bridge, not autostarting might be good
idea. However, this can trivially be done by masking the service (e.g.
`systemctl mask tor.service`) before installation. You can also provide a
/etc/tor/torrc before installing the package, and that will be used after
installation.
I want to point out that users are not informed about nor asked for any
consent to these immediate outside connections to the tor network. No privacy
policy or warnings are presented to the user after `apt install tor`, the
service simply starts and connects to tor with no indication that this is
happening.
I'd argue that users do expect it, as it is the way all other daemons on Debian
are started when installed. This has been the default for a long time. Can you
back up that claim somehow?
The service should be shipped in a disabled state, so that it does not start
on system boot, nor should the service start immediately after installing
tor. If users wish to run the service on the system level automatically on
every boot then they can do so by doing `systemctl enable tor.service`. If
the tor maintainer really wishes to keep the automatic start of tor service
on installation as default behavior, then they should at least create a
debconf interface that asks the users if that is what they really wish to
happen, so that users can give their informed consent.
That would not be a feasible option, as this is considered "debconf abuse" [0].
The other problem is that it wouldn't be shown in non-interactive sessions,
using for example puppet, ansible or Chef to install it.
[0]
https://www.debian.org/doc/manuals/developers-reference/best-pkging-practices.html#do-not-abuse-debconf
Additionally, many users simply start the tor executable directly, with
configuration files in their home directory, when they need it instead of
automatically.
I'm not convinced this is a common usage pattern. However, if you can convince
the maintainer it is, it might be worth splitting the package in tor-bin and
tor-server packages, the former containing the binary, and the latter containing
the service files starting the daemon. This would be a separate bug report, though.
When users start the service manually, they are at least presented with this
information:
[notice] Tor can't help you if you use it wrong! Learn how to be safe at
https://support.torproject.org/faq/staying-anonymous
Please do not autostart the tor system service immediately after installing
it using `apt install tor`.
All in all I believe this could be implemented if you can bring up convincing
arguments why this is dangerous behaviour. In that case it would not be started,
and the steps to get it to autostart would be documented in
/usr/share/doc/tor/README.Debian. Since I don't believe this is falls in the
severity of "grave" as defined in [1] (the package works for most people, it
does not cause data loss nor introduces security holes on the system), I'm
changing the bug severity.
[1] https://www.debian.org/Bugs/Developer#severities
Greetings,
Lee
