Patch to authenticate by uid/gid on ControlSocket
Michael Gold
torlists at rilmarder.org
Sun Mar 1 18:56:02 UTC 2009
On Sun, Mar 01, 2009 at 10:47:03 -0700, John Brooks wrote:
> Great idea! This should simplify things quite a lot when using control
> connections.
>
> I'm surprised fchmod doesn't work, but I don't think using chmod() would be
> a problem here. Another user very likely wouldn't have the permissions to
> replace the socket file, and if they did, the chmod() call would then fail
> as the tor user would not own the new file. If they were already running as
> the tor user, they could do all sorts of other things and make it really a
> moot point anyway. I don't see a way that another user could bother tor
> using that race condition.
The problem of fchmod not working is Linux-specific and seems to be
brought up on LKML every few years, though there's never a response and
nobody's sent a patch.
The race condition could be exploited by hardlinking a file owned by the
Tor user, which would then become world-writable. But this would only
work if the attacker had write permission to the directory and the
sticky bit was clear.
-- Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20090301/81cefbf2/attachment.pgp>
More information about the tor-dev
mailing list