Skip to content

v0.8.0

Choose a tag to compare

@mangetoncompost mangetoncompost released this 30 Jun 23:25

Security

Critical

  • dnsmasq config moved to /etc/dnsmasq-torshield.conf (root:wheel) via new ts_helper verbs write-dnsmasq-conf / rm-dnsmasq-conf. Previously written to ~/.config/opsec/dnsmasq.conf (user-writable), allowing a local attacker to inject arbitrary dnsmasq directives (dhcp-script, addn-hosts) executed as root on next connect.
  • gen_icon binary always recompiled from embedded source, never reused from cache. Previously the compiled binary persisted in ~/.config/opsec/gen_icon without integrity verification - binary planting attack.

High

  • TOCTOU in ensure_helper() closed: compile inside a tempdir() (mode 0700) that stays alive until the osascript cp completes. Previously the NamedTempFile was dropped before clang ran, releasing the path reservation without O_EXCL protection.
  • dnsmasq killed via validated PID from pid-file (/bin/kill <pid>), not pkill -f <user-path>. The previous pattern matched all process cmdlines as root; the root("kill", ...) call was also silently ignored (bare name not in ts_helper whitelist).
  • Watchdog verified by content comparison before skipping reinstall. File-existence check alone allowed a replaced watchdog LaunchDaemon script (persistent root shell) to persist undetected.

Medium

  • ~/.config/opsec/ restricted to mode 0700 (was 0755 - world-readable). All secrets (torrc, HMAC key, SAFECOOKIE cookie, hostname backups) now inaccessible to other local users.
  • HOME unset fallback uses getpwuid(getuid()) instead of /tmp (world-listable).
  • Tor binary resolved via absolute path (/opt/homebrew/bin/tor first). Previously relied on PATH - a rogue binary earlier in PATH could intercept traffic while tor_ready() returned true.

Low

  • pf interface name validated (alphanumeric only, default en0).

UI

Menu redesigned to professional English labels: Connect / Disconnect, New Identity, Identity Rotation, Kill Switch, MAC Address Randomization, DNS Leak Protection, Fingerprint Resistance, Advanced (was Dev / Scripts), [OK] / [!] dependency status.