Added an applet for switching Tor identity

SIGNAL NEWNYM is sent to Tor via its control port.
The control port access is filtered on the firewall, and cookie
authentication is enabled as well.

doc/changelog.txt

@@ -1,4 +1,4 @@
-2011-XX-XX
+2011-11-07
   + 2011.2 release
 
   * ISO image generation, useful for VMs and independent installs
@@ -19,6 +19,7 @@
   * HTP time daemon has been hardened and extended to aid I2P service
   * OTFE partition now supports file permissions, sanitized during boot
   * OTFE partition now uses NTFS compression for all data
+  * Added an applet for switching Tor identity (NEWNYM)
 
   * Cables communication is now a separate project
   * Cables communication daemon runs under a designated user

src/etc/sudoers

@@ -25,3 +25,5 @@ anon	liberte = NOPASSWD:         /usr/local/sbin/slay nofw
 anon	liberte = (nofw)  NOPASSWD: /usr/local/sbin/unsafe-browser ""
 
 anon	liberte = (cable) NOPASSWD: /usr/libexec/cable/send ""
+
+anon	liberte = (tor)   NOPASSWD: /usr/local/sbin/tor-ctrl newnym

src/etc/tor/torrc

@@ -1,31 +1,36 @@
 ## Default user the server will run as
 User tor
 
-PIDFile            /var/run/tor/tor.pid
+PIDFile              /var/run/tor/tor.pid
 Log notice syslog
-#Log notice file   /var/log/tor/tor.log
+#Log notice file     /var/log/tor/tor.log
 
 ## "SocksPort 0" for server-only setup
-SocksListenAddress 127.0.0.1
-SocksPort          9050
+SocksListenAddress   127.0.0.1
+SocksPort            9050
 
-# Transparent proxy connections
-TransListenAddress 127.0.0.1
-TransPort          9040
+## control_auth_cookie in data directory
+ControlListenAddress 127.0.0.1
+ControlPort          9051
+CookieAuthentication 1
+
+## Transparent proxy connections
+TransListenAddress   127.0.0.1
+TransPort            9040
 
 ## The directory for keeping all the keys/etc.
-DataDirectory      /var/lib/tor/data
+DataDirectory        /var/lib/tor/data
 
 ## Hidden service on local port 80
-HiddenServiceDir   /var/lib/tor/hidden_service/
-HiddenServicePort  80 127.0.0.1:80
+HiddenServiceDir     /var/lib/tor/hidden_service/
+HiddenServicePort    80 127.0.0.1:80
 
 ## Easy operation behind firewalls, also disguise
 ## connections somewhat.
-ReachableAddresses *:80, *:443
+ReachableAddresses   *:80, *:443
 
 ## Reject resolved DNS connections
-SafeSocks 1
+SafeSocks            1
 
 # Do not relay. From Tor FAQ:
 #   Three different research papers describe ways to identify the relays in a
@@ -35,4 +40,4 @@ SafeSocks 1
 #   if we're trying to encourage more clients to turn on relay functionality
 #   too (whether as bridge relays or as normal relays), then we need to
 #   understand this threat better and learn how to mitigate it.
-ClientOnly         1
+ClientOnly           1

src/home/anon/bin/newnym

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if sudo -n -u tor /usr/local/sbin/tor-ctrl newnym; then
+    exec notify-send -u normal   -i security-high 'Established new Tor identity' 'Switched to clean circuits; new application requests will not share any circuits with old ones. DNS cache has been cleared as well.'
+else
+    exec notify-send -u critical -i security-low  'Failed to establish new Tor identity' 'Tor is probably not running; check user-level logs.'
+fi

src/home/anon/config/local/applications/newnym.desktop

@@ -0,0 +1,8 @@
+[Desktop Entry]
+Name=Switch Tor Identity
+Comment=Establish new Tor identity by switching to clean circuits
+Exec=newnym
+Terminal=false
+Type=Application
+Categories=GTK;Network;Security;
+Icon=security-medium

src/usr/local/bin/sync-notify

@@ -1,6 +1,6 @@
 #!/bin/sh
 
-notify-send -u low -i drive-removable-media -t 2000 'Synchronizing media' 'Synchronizing removable media…'
+notify-send -u normal -i drive-removable-media -t 2000 'Synchronizing media' 'Synchronizing removable media…'
 
 sync
 sleep 1

src/usr/local/sbin/fw-reload

@@ -101,6 +101,10 @@ iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner ${luser} --syn -d 127.0.0.1
 iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner privoxy  --syn -d 127.0.0.1 --dport 9050 -j ACCEPT
 iptables -A OUTPUT       -p tcp                               --syn -d 127.0.0.1 --dport 9050 -j LOGREJECT
 
+# Tor control port access only for Tor user
+iptables -A OUTPUT -o lo -p tcp -m owner --uid-owner tor      --syn -d 127.0.0.1 --dport 9051 -j ACCEPT
+iptables -A OUTPUT       -p tcp                               --syn -d 127.0.0.1 --dport 9051 -j LOGREJECT
+
 # Tor access via transparent proxy only for I2P (redirected from an external interface)
 iptables -A OUTPUT ! -o lo -p tcp -m owner --uid-owner i2p    --syn -d 127.0.0.1 --dport 9040 -j ACCEPT
 iptables -A OUTPUT         -p tcp                             --syn -d 127.0.0.1 --dport 9040 -j LOGREJECT

src/usr/local/sbin/tor-ctrl

@@ -0,0 +1,29 @@
+#!/bin/sh -e
+
+export LC_ALL=C
+
+ctrlhost=127.0.0.1
+ctrlport=9051
+cookie=/var/lib/tor/data/control_auth_cookie
+
+case "$1" in
+    newnym)
+        cmd="SIGNAL NEWNYM"
+        ;;
+
+    *)
+        echo "Format: tor-ctrl newnym"
+        exit 1
+        ;;
+esac
+
+if [ ! -r ${cookie} ]; then
+    echo "Auth cookie does not exist or insufficient permissions"
+    exit 1
+fi
+
+auth=`od -t x1 -v -w32 ${cookie} | cut -s -d' ' -f 2- --output-delimiter=`
+
+echo -n ${BASH:+-e} AUTHENTICATE "${auth}\r\n${cmd}\r\nQUIT\r\n" \
+    | nc -n -q 30 -w 30 ${ctrlhost} ${ctrlport} 2>&1 \
+    | sed -n '/^250 /b n; p; q 1; :n'

src/var/lib/portage/world

@@ -85,6 +85,7 @@ sys-apps/haveged
 dev-java/jamvm
 
 # Network utilities
+net-analyzer/netcat
 net-firewall/iptables
 sys-apps/ethtool
 net-wireless/madwifi-ng-tools
@@ -314,4 +315,3 @@ x11-themes/claws-mail-themes
 # (can be removed in release)
 app-admin/paxtest
 dev-util/strace
-net-analyzer/netcat