|
 |
9043f9d |
From ec35ad51e585023b718c2b257721bdf2d2f25f3e Mon Sep 17 00:00:00 2001
|
|
|
9043f9d |
From: Jamie Nguyen <j@jamielinux.com>
|
|
|
9043f9d |
Date: Mon, 9 Nov 2015 07:38:19 +0000
|
|
|
9043f9d |
Subject: [PATCH] Create DataDirectory with group read permissions
|
|
|
9043f9d |
|
|
|
9043f9d |
Directories created by Tor have 0700 and toranon:toranon permissions. Tor also
|
|
|
9043f9d |
checks the permissions again at runtime, reducing the permissions if they
|
|
|
9043f9d |
aren't 0700 and refusing to run if the owner or group aren't both toranon.
|
|
|
9043f9d |
|
|
|
9043f9d |
These precautions protect the security of the Tor files. However, these
|
|
|
9043f9d |
permissions make the Tor DataDirectory (ie, /var/lib/tor) unreadable by the
|
|
|
9043f9d |
root user. When Tor is started as root, it accesses the DataDirectory before
|
|
|
9043f9d |
dropping root permissions. Normally this wouldn't cause any problems, but there
|
|
|
9043f9d |
are two situations in which Tor is prevented from running:
|
|
|
9043f9d |
|
|
|
9043f9d |
(1) If the systemd CapabilityBoundingSet option is set but CAP_READ_SEARCH isn't
|
|
|
9043f9d |
listed, root is denied access to the Tor DataDirectory.
|
|
|
9043f9d |
|
|
|
9043f9d |
(2) If SELinux is enabled but tor_t domain isn't allowed dac_read_search
|
|
|
9043f9d |
permissions, root is denied access to the Tor DataDirectory.
|
|
|
9043f9d |
|
|
|
9043f9d |
CAP_READ_SEARCH and dac_read_search should be avoided; a process with these
|
|
|
9043f9d |
permissions can read arbitrary files regardless of DAC permissions. The
|
|
|
9043f9d |
solution proposed in this patch is to default to creating the DataDirectory
|
|
|
9043f9d |
with 0750 permissions, while also allowing the group to be either toranon or
|
|
|
9043f9d |
root.
|
|
|
9043f9d |
---
|
|
|
9043f9d |
src/common/util.c | 2 +-
|
|
|
9043f9d |
src/or/config.c | 3 ++-
|
|
|
9043f9d |
2 files changed, 3 insertions(+), 2 deletions(-)
|
|
|
9043f9d |
|
|
|
9043f9d |
diff --git a/src/common/util.c b/src/common/util.c
|
|
|
9043f9d |
index 442d57a..793fbb4 100644
|
|
|
9043f9d |
--- a/src/common/util.c
|
|
|
9043f9d |
+++ b/src/common/util.c
|
|
|
9043f9d |
@@ -2196,7 +2196,7 @@ check_private_dir(const char *dirname, cpd_check_t check,
|
|
|
9043f9d |
return -1;
|
|
|
9043f9d |
}
|
|
|
9043f9d |
if ( (check & (CPD_GROUP_OK|CPD_GROUP_READ))
|
|
|
9043f9d |
- && (st.st_gid != running_gid) ) {
|
|
|
9043f9d |
+ && (st.st_gid != running_gid) && (st.st_gid != 0)) {
|
|
|
9043f9d |
struct group *gr;
|
|
|
9043f9d |
char *process_groupname = NULL;
|
|
|
9043f9d |
gr = getgrgid(running_gid);
|
|
|
9043f9d |
diff --git a/src/or/config.c b/src/or/config.c
|
|
|
9043f9d |
index fca350c..5cefc7c 100644
|
|
|
9043f9d |
--- a/src/or/config.c
|
|
|
9043f9d |
+++ b/src/or/config.c
|
|
|
9043f9d |
@@ -1152,7 +1152,8 @@ options_act_reversible(const or_options_t *old_options, char **msg)
|
|
|
9043f9d |
|
|
|
9043f9d |
/* Ensure data directory is private; create if possible. */
|
|
|
9043f9d |
if (check_private_dir(options->DataDirectory,
|
|
|
9043f9d |
- running_tor ? CPD_CREATE : CPD_CHECK,
|
|
|
9043f9d |
+ running_tor ?
|
|
|
9043f9d |
+ CPD_CREATE|CPD_GROUP_READ : CPD_CHECK|CPD_GROUP_READ,
|
|
|
9043f9d |
options->User)<0) {
|
|
|
9043f9d |
tor_asprintf(msg,
|
|
|
9043f9d |
"Couldn't access/create private data directory \"%s\"",
|
|
|
9043f9d |
--
|
|
|
9043f9d |
2.5.0
|
|
|
9043f9d |
|