[tor-bugs] #17562 [- Select a component]: DataDirectory permissions are too restrictive when using CapabilityBoundingSet or SELinux

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Nov 9 09:41:52 UTC 2015 

#17562: DataDirectory permissions are too restrictive when using
CapabilityBoundingSet or SELinux
--------------------------------------+-----------------
     Reporter:  jamielinux            |      Owner:
         Type:  defect                |     Status:  new
     Priority:  Medium                |  Milestone:
    Component:  - Select a component  |    Version:
     Severity:  Normal                |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |    Sponsor:
--------------------------------------+-----------------
 Directories created by Tor have 0700 and TorUser:TorUser permissions. Tor
 also checks the permissions again at runtime, reducing the permissions if
 they aren't 0700 and refusing to run if the directory UID and GID aren't
 both TorUser.

 These precautions protect the security of the Tor files. However, the
 DataDirectory (ie, `/var/lib/tor`) is unreadable by the root user. When
 Tor is started as root, it accesses the DataDirectory before dropping root
 permissions. Normally this wouldn't cause any problems, but there are two
 situations in which Tor is prevented from running:

 1. If the systemd `CapabilityBoundingSet` option is set but
 `CAP_READ_SEARCH` isn't listed, root is denied access to the
 DataDirectory.

 2. If SELinux is enabled but `tor_t` domain isn't allowed
 `dac_read_search` permissions, root is denied access to the DataDirectory.

 `CAP_READ_SEARCH` and dac_read_search should be avoided; a process with
 these permissions can read arbitrary files regardless of DAC permissions.
 The solution proposed in this patch is to default to creating the
 DataDirectory with 0750 permissions, while also allowing the group to be
 either TorUser or root (but nobody else).

 Also see: https://bugzilla.redhat.com/show_bug.cgi?id=1279222

 I notice that Debian fixed this issue on Stretch/Sid by giving Tor
 `CAP_DAC_OVERRIDE`, `CAP_CHOWN` and `CAP_FOWNER`. These dangerous
 capabilities are effectively equal to root, and kind of defeats the point
 of using `CapabilityBoundingSet` in the first place. I've chosen different
 solution.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17562>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list