[tor-dev] Are DAC_OVERRIDE & CHOWN capabilities required for ControlSocket?
Yawning Angel
yawning at schwanenlied.me
Sun Apr 12 13:10:33 UTC 2015
On Sun, 12 Apr 2015 12:46:26 +0000
Nusenu <nusenu at openmailbox.org> wrote:
> tor will fail to startup with the current systemd service file [1]
> if your torrc makes use of the ControlSocket feature.
>
> To work around the issue one has to additionally allow the following
> capabilities:
> CAP_DAC_OVERRIDE
> CAP_CHOWN
> since the socket file is create as root and then changed to the tor
> user (chown).
>
> Is it possible to change this to not require
> CAP_DAC_OVERRIDE and CAP_CHOWN capabilities anymore?
I bet using the AF_UNIX SocksPort stuff will break as well, since the
code is common. All of the listeners are launched before switching
uid/gid and dropping privileges since it's common code.
The way to fix this would be to change retry_listener_ports and
retry_all_listeners code to additionally allow only launching service
ports (< 1024), and staging the listener launch process on config
(re)load to something that looks like:
1. Launch listeners that require elevated priviledges
(CAP_NET_BIND_SERVICE).
2. Drop priviledges and switch the uid/gid.
3. Launch the rest of the listeners, including all of the AF_UNIX
based ones (as the runtime tor user, so neither privilege is
required).
Patches accepted.
--
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150412/ee83005e/attachment.sig>
More information about the tor-dev
mailing list