<div style="font-family: Arial; font-size: 14px; color: rgb(34, 34, 34);">I had a conversation about this on OFTC #tor:</div><div style="font-family: Arial; font-size: 14px; color: rgb(34, 34, 34);"><span data-value="0"></span><div><div><pre><code><ketyn> Is it intended that tor doesn't set supplementary groups when starting as root and then doing setgid? This describes my issue: https://tor.stackexchange.com/questions/23225/tor-cant-read-hiddenserviceport-unix-socket-through-group-permissions-when-star
<ketyn> I see many threads on the internet of people claiming that tor unix socket permissions aren't working for them and while sometimes it turns out to be apparmor/SELinux, I think this might be biting other people too
<ketyn> I think significant numbers of people might just be giving up and making their unix socket globally readable, or switching to numbered port based sockets rather than unix domain sockets.
<arma> ketyn: we had a series of security surprises in the past with how we did groups and dropping privs,
<arma> and we settled on what we do now as the safest option
<ketyn> Alright, I guess I'll need to either make the sockets tor listens to owned by the tor user, or use socat to forward. Maybe there's a documentation fix to apply here though.
<ketyn> tor forwards to*
<bentham> ketyn: What are you doing that would make that necessary?
<bentham> Is the default not working for you for some reason?
<bentham> Also, which socket(s) is(are) causing issues for you? Is it something in /run/tor?
<ketyn> I want to make a tor hidden service listening to port 25, connected to a socket at /var/spool/postfix-test/public/smtpd owned by the user postfix-queue
<ketyn> According to postfix, I'm then supposed to add whatever user I want to read to that socket to the group postfix-queue
<arma> ketyn: hmmm
<arma> for the control socket see the GroupWritable flags
<arma> ControlSocket /run/tor/control GroupWritable RelaxDirModeCheck
<arma> ControlSocketsGroupWritable 1
<arma> this is how you can add your username to the tor group and then have permissions to connect with a controller
<ketyn> This is not a control socket. This is a hidden service. e.g. HiddenServicePort 25 unix:/var/spool/postfix-test/public/smtpd
<arma> i don't think anybody has built something similar for the onion service lines
<arma> but i think that tor is not dropping the groups, it simply is not letting you use the group permission there
<ketyn> I want to be able to receive email over a hidden service. Like in https://github.com/ehloonion/onionmx
<ketyn> > <arma> but i think that tor is not dropping the groups, it simply is not letting you use the group permission there
<ketyn> Huh, ok.
<arma> i say that because being in the group, for the control port, does work
<arma> so it's not like the group got dropped
<arma> check out the UnixSocksGroupWritable config option
<arma> maybe it will help what you want
<bentham> ketyn: Out of curiosity, why is your smtpd listening on a socket rather than, say, 127.0.0.1:25?
<arma> looks like no, it won't do what you want, because UnixSocksGroupWritable doesn't apply to hiddenservice lines
<ketyn> bentham: Because it seems more secure and means I don't have to worry about port conflicts or firewalls, and deploy this setup to computers I don't have full control over.
<ketyn> Here's another good reason I saw: https://github.com/freedomofpress/securedrop/issues/1261
<ketyn> "because applications sometimes (fairly) assume that localhost has a different threat model than an externally exposed service. Most recently, this common configuration lead to some hidden services exposing sensitive information through the Apache mod_status module"
...
<arma> actually arma said "just barely possible that the network team would take a good patch"
<arma> not quite the same as "probably not take"
<arma> but yes, more generally, there is vast confusion about what permissions are *supposed* to be, what groups happen by default in debian/ubuntu, what the SELinux and Apparmor policies do, etc
<arma> i think most people are probably doing it wrong but i don't even know what right is
<arma> i end up putting all my onion service directories in /tmp/ so they work, and that cannot at all be right
<br><br>I also asked on stackexchange:<br><span><a target="_blank" rel="noreferrer nofollow noopener" href="https://tor.stackexchange.com/questions/23225/tor-cant-read-hiddenserviceport-unix-socket-through-group-permissions-when-star/23226">https://tor.stackexchange.com/questions/23225/tor-cant-read-hiddenserviceport-unix-socket-through-group-permissions-when-star/23226</a></span><br><br><br></code></pre>
</div></div></div><div class="protonmail_quote">
------- Original Message -------<br>
On Tuesday, July 5th, 2022 at 5:30 AM, keyandthegate via tor-dev <tor-dev@lists.torproject.org> wrote:<br><br>
<blockquote class="protonmail_quote" type="cite">
<span>Permissions are set so tor should be able to access through the `postfix-test-queue` user:</span><div><br></div><blockquote style="border-color:rgb(200, 200, 200);border-left:3px solid rgb(200, 200, 200);padding-left:10px;color:rgb(102, 102, 102)"><div><span>$ sudo ls -l /var/spool/postfix-test/public/smtpd </span></div><div><span>srw-rw-rw- 1 postfix-test postfix-test 0 █████ /var/spool/postfix-test/public/smtpd</span></div><div><span>$ sudo ls -l /var/spool/postfix-test</span></div><div><span># ...</span></div><div><span>drwx--x--- 2 postfix-test postfix-test-queue 4096 █████ public</span></div><div><span>$ sudo -u _tor-test id</span></div><div><span>uid=130(_tor-test) gid=141(_tor-test) groups=141(_tor-test),1006(postfix-test-queue)</span></div><div><span>$ cat /etc/tor/instances/test/torrc | grep HiddenServicePort</span></div><div><span>HiddenServicePort 25 unix:/var/spool/postfix-test/public/smtpd</span></div><div><span>$ cat /run/tor-instances/test.defaults | grep User</span></div><div><span>User _tor-test</span></div></blockquote><div><br></div><div><span>Running `tor@test` via the default systemctl config shows:</span></div><div><br></div><blockquote style="border-color:rgb(200, 200, 200);border-left:3px solid rgb(200, 200, 200);padding-left:10px;color:rgb(102, 102, 102)"><div><span>$ ps -ax -o uid,gid,supgid,command | grep /usr/bin/tor</span></div><div><span> 130 141 141 /usr/bin/tor --defaults-torrc /run/tor-instances/test.defaults -f /etc/tor/instances/test/torrc</span></div></blockquote><div><br></div><div><span>Which is missing the `postfix-test-queue` `1006` user which, for example shows up if I do:</span></div><div><br></div><blockquote style="border-color:rgb(200, 200, 200);border-left:3px solid rgb(200, 200, 200);padding-left:10px;color:rgb(102, 102, 102)"><div><span>$ sudo -u _tor-test sleep 1000 & ps -ax -o uid,gid,supgid,command | grep sleep</span></div><div><span>[1] 132314</span></div><div><span> 0 141 141,1006 sudo -u _tor-test sleep 1000</span></div></blockquote><div><br></div><div><span>Connecting using `sudo -u` works (the message indicates successful connection):</span></div><div><br></div><blockquote style="border-color:rgb(200, 200, 200);border-left:3px solid rgb(200, 200, 200);padding-left:10px;color:rgb(102, 102, 102)"><div><span>$ sudo -u _tor-test curl --unix-socket /var/spool/postfix-test/public/smtpd <a target="_blank" rel="noreferrer nofollow noopener" href="http://localhost">http://localhost</a></span></div><div><span>curl: (1) Received HTTP/0.9 when not allowed</span></div></blockquote><div><br></div><div><span>But connecting via tor does not:</span></div><blockquote style="border-color:rgb(200, 200, 200);border-left:3px solid rgb(200, 200, 200);padding-left:10px;color:rgb(102, 102, 102)"><div><span><br></span></div><div><span>$ torsocks --ipv6 curl <a target="_blank" rel="noreferrer nofollow noopener" href="http://█████.onion:25">http://█████.onion:25</a></span></div><div><span>█████ ERROR torsocks[134873]: Host unreachable (in socks5_recv_connect_reply() at socks5.c:539)</span></div><div><span>curl: (7) Couldn't connect to server</span></div></blockquote><div><br></div><div><span>But does if I allow access to the socket to everyone:</span></div><div><br></div><blockquote style="border-color:rgb(200, 200, 200);border-left:3px solid rgb(200, 200, 200);padding-left:10px;color:rgb(102, 102, 102)"><div><span>$ sudo chmod "o+x" /var/spool/postfix-test/public/</span></div><div><span>$ torsocks --ipv6 curl <a target="_blank" rel="noreferrer nofollow noopener" href="http://█████.onion:25">http://█████.onion:25</a></span></div><div><span>curl: (1) Received HTTP/0.9 when not allowed</span></div></blockquote><div><br></div><div><span>Tor's relevant source code: <a href="https://tpo.pages.torproject.net/core/doc/tor/setuid_8c_source.html" target="_blank" rel="noreferrer nofollow noopener" title="Tor: lib/process/setuid.c Source File">Tor: lib/process/setuid.c Source File</a></span></div>
</blockquote><br>
</div>