[tor-dev] Tor can't read HiddenServicePort unix socket through group permissions when starting as root and using setgid?
keyandthegate
keyandthegate at protonmail.com
Tue Jul 5 12:30:57 UTC 2022
Permissions are set so tor should be able to access through the `postfix-test-queue` user:
> $ sudo ls -l /var/spool/postfix-test/public/smtpd
> srw-rw-rw- 1 postfix-test postfix-test 0 █████ /var/spool/postfix-test/public/smtpd
> $ sudo ls -l /var/spool/postfix-test
> # ...
> drwx--x--- 2 postfix-test postfix-test-queue 4096 █████ public
> $ sudo -u _tor-test id
> uid=130(_tor-test) gid=141(_tor-test) groups=141(_tor-test),1006(postfix-test-queue)
> $ cat /etc/tor/instances/test/torrc | grep HiddenServicePort
> HiddenServicePort 25 unix:/var/spool/postfix-test/public/smtpd
> $ cat /run/tor-instances/test.defaults | grep User
> User _tor-test
Running `tor at test` via the default systemctl config shows:
> $ ps -ax -o uid,gid,supgid,command | grep /usr/bin/tor
> 130 141 141 /usr/bin/tor --defaults-torrc /run/tor-instances/test.defaults -f /etc/tor/instances/test/torrc
Which is missing the `postfix-test-queue` `1006` user which, for example shows up if I do:
> $ sudo -u _tor-test sleep 1000 & ps -ax -o uid,gid,supgid,command | grep sleep
> [1] 132314
> 0 141 141,1006 sudo -u _tor-test sleep 1000
Connecting using `sudo -u` works (the message indicates successful connection):
> $ sudo -u _tor-test curl --unix-socket /var/spool/postfix-test/public/smtpd http://localhost
> curl: (1) Received HTTP/0.9 when not allowed
But connecting via tor does not:
> $ torsocks --ipv6 curl http://█████.onion:25
> █████ ERROR torsocks[134873]: Host unreachable (in socks5_recv_connect_reply() at socks5.c:539)
> curl: (7) Couldn't connect to server
But does if I allow access to the socket to everyone:
> $ sudo chmod "o+x" /var/spool/postfix-test/public/
> $ torsocks --ipv6 curl http://█████.onion:25
> curl: (1) Received HTTP/0.9 when not allowed
Tor's relevant source code: [Tor: lib/process/setuid.c Source File](https://tpo.pages.torproject.net/core/doc/tor/setuid_8c_source.html)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20220705/81580961/attachment.htm>
More information about the tor-dev
mailing list