[tor-bugs] #8195 [Tor]: tor and capabilities

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Nov 4 14:51:12 UTC 2015 

#8195: tor and capabilities
-----------------------------------------------+---------------------------
 Reporter:  weasel                             |          Owner:
     Type:  enhancement                        |         Status:  new
 Priority:  Medium                             |      Milestone:  Tor:
Component:  Tor                                |  0.2.8.x-final
 Severity:  Normal                             |        Version:
 Keywords:  tor-relay, security, pre028-patch  |     Resolution:
Parent ID:                                     |  Actual Points:
  Sponsor:                                     |         Points:  small
-----------------------------------------------+---------------------------

Comment (by nickm):

 Ugh.  I've done my research here.  It's a mess.  You simply can't write a
 wrapper that does what I want without messing with the FS.

 {{{
 14:39 < nickm> To inherit any capability across an exec, the file being
                exec()ed needs to have that capability listed in its
 'inheritable'
                set.
 14:40 < nickm> exec does this: it clears every capability not in the
                executable's inheritable set, then it grants every
 capability in
                the executable's permitted set (subject to the system's
 bounding
                set)
 14:40 < nickm> obviously we wouldn't want to put anything in the permitted
 set;
                that's basically setuid.
 14:40 < nickm> (or a fraction of it.)
 14:41 < nickm> but if we can't even put anything in the executable's
 inherited
                set, then we can't do this with a sane external tool.
 14:43 < nickm> (Digression: we could try to write a tool which forked,
 exec'd
                the other process and THEN granted it capabilities, but I
 don't
                see a way to avoid a race there.)
 14:44 < nickm> ([To grant capabilities to another running process]
                You need the CAP_SETPCAP capability, and the documentation
 says
                that really you shouldn't be holding on to that capability
                unless you know what you're doing.)
 14:44 < nickm> (I don't think I know what I'm doing enough to be safe
 there.)
 14:45 < nickm> so option 1: mark the tor executable as allowed to inherit
                CAP_NET_BIND_SERVICE.  THat means that if the calling
 process
                intentionally passes that capability, tor can use it.
 14:46 < nickm> option 2: do what #8195 envisioned, and teach Tor to retain
 this
                capability across the setuid.
 14:47 < nickm> [and for helpers]:
                option 1: mark the helper execuable as allowed to inherit
 the
                capability, and teach tor how to pass it.
 14:48 < nickm> option 2: let tor open the sockets and pass them across an
                af_unix socket.
 14:48 < nickm> option 3: i have no clue
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8195#comment:34>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list