Project

General

Profile

Feature #7100

Decide what to do with machine-id

Added by intrigeri over 3 years ago. Updated about 1 year ago.

Status:
Confirmed
Priority:
Normal
Assignee:
Category:
-
Target version:
Start date:
04/16/2014
Due date:
% Done:

0%

QA Check:
Feature Branch:
Type of work:
Research
Blueprint:
Starter:
No
Affected tool:

Description

Modern GNU/Linux tools (D-Bus, systemd) relies more and more on /etc/machine-id and/or /var/lib/dbus/machine-id (depending on the OS, versions, etc.). In most situations we care about, if not all, this ID should not be leaked to the network. If it is, then:

  • if we set the same machine-id everywhere, then users are all in the same anonymity set; but this also leaks that they're using Tails
  • if we set unique machine-id on boot, then we don't leak that users are using Tails, and applications that rely on machine-id working on the LAN work; OTOH, if machine-id leaks on the Internet, then the fact that users are not in the same anonymity set can be a problem

We should first evaluate if/how machine-id can be leaked, and then think about this all, and decide something.

team: bertagaz


Related issues

Related to Tails - Feature #5821: Switch to systemd as pid 1 Resolved 05/09/2014 06/01/2015
Related to Tails - Feature #5630: Reproducible builds In Progress 09/23/2015

Associated revisions

Revision 0d5d4d42 (diff)
Added by intrigeri about 1 year ago

Empty /etc/machine-id instead of deleting it (Closes: #11970, refs: #5630, refs: #7100).

History

#1 Updated by BitingBird almost 3 years ago

#2 Updated by intrigeri over 2 years ago

Note that live-build 5.x deletes /var/lib/dbus/machine-id and empties /etc/machine-id.

#3 Updated by intrigeri over 2 years ago

  • Assignee set to intrigeri

Adding to my radar.

#4 Updated by intrigeri over 2 years ago

Note that if we decide to make machine-id a per-Tails-boot identifier (as opposed to the current per-Tails-version identifier), we'll need to check our AppArmor profiles and see if they allow apps to access those file, why, how dangerous it is, and whether we want/need to keep allowing it.

#5 Updated by intrigeri over 2 years ago

  • Assignee deleted (intrigeri)
  • Target version set to Hardening_M1

#7 Updated by upqoer over 2 years ago

This can be an issue.

if we set the same machine-id everywhere, then users are all in the same anonymity set; but this also leaks that they're using Tails

Go for this one.
Because:

If you would go for random-id on each boot, then this issues will appear:
  • Person is trapped whole time while running Tails instance with the same machine-id. That means if it will get leaked by the browser or anyhow, and user will want New Identity, he will still be trackable by this attribute.

Setting hardcoded machine-id, Tails-specific is way better idea for anonymity.

Also note this: (!)

Tor Browser in Tails can read this file! (/etc/machine-id). See Tails current AppArmor profile allowing Tor Browser read from machine-id:

/etc/machine-id r,

https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/usr/share/tails/torbrowser-AppArmor-profile.patch

Deny it. Why would Tor Browser need the access to this file? And what about other applications like Pidgin, Evince, Electrum and all the others? They will not work without access to it? Has anybody tested this out?

#8 Updated by sajolida over 2 years ago

  • Assignee set to bertagaz

#9 Updated by sajolida over 2 years ago

  • Target version changed from Hardening_M1 to 2016

#10 Updated by Dr_Whax over 1 year ago

  • Description updated (diff)
  • Target version changed from 2016 to 2017

#11 Updated by intrigeri about 1 year ago

#12 Updated by intrigeri about 1 year ago

Also see this interesting thread about this topic on the AppArmor mailing list. Simon McVittie is the upstream D-Bus maintainer, and is familiar both with AppArmor and privacy concerns.

And of course, 0d5d4d4.

Also available in: Atom PDF