August 2011 - tor-commits - lists.torproject.org

[tor/master] Remove connection_edge_streams_are_compatible
by nickm＠torproject.org 08 Aug '11

08 Aug '11

commit cb24a06a3e1825001ea97f1a19249dade2f68215 Author: Robert Ransom <rransom.8774(a)gmail.com> Date: Sat Aug 6 13:44:28 2011 -0700 Remove connection_edge_streams_are_compatible It's dead code (not used anywhere by the current proposal 171 algorithm). --- src/or/connection_edge.c | 52 ---------------------------------------------- src/or/connection_edge.h | 2 - 2 files changed, 0 insertions(+), 54 deletions(-) diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 37a695c..7dd6ee0 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -3346,58 +3346,6 @@ memeq_opt(const char *a, size_t alen, const char *b, size_t blen) } } -/** Return true iff <b>a</b> and <b>b</b> have isolation rules and fields that - * make it permissible to put them on the same circuit.*/ -int -connection_edge_streams_are_compatible(const edge_connection_t *a, - const edge_connection_t *b) -{ - const uint8_t iso = a->isolation_flags | b->isolation_flags; - const socks_request_t *a_sr = a->socks_request; - const socks_request_t *b_sr = b->socks_request; - - if (! a->original_dest_address) { - log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without " - "having set a->original_dest_address"); - ((edge_connection_t*)a)->original_dest_address = - tor_strdup(a->socks_request->address); - } - if (! b->original_dest_address) { - log_warn(LD_BUG, "Reached connection_edge_streams_are_compatible without " - "having set b->original_dest_address"); - ((edge_connection_t*)b)->original_dest_address = - tor_strdup(a->socks_request->address); - } - - if (iso & ISO_STREAM) - return 0; - - if ((iso & ISO_DESTPORT) && a->socks_request->port != b->socks_request->port) - return 0; - if ((iso & ISO_DESTADDR) && - strcasecmp(a->original_dest_address, b->original_dest_address)) - return 0; - if ((iso & ISO_SOCKSAUTH) && - (! memeq_opt(a_sr->username, a_sr->usernamelen, - b_sr->username, b_sr->usernamelen) || - ! memeq_opt(a_sr->password, a_sr->passwordlen, - b_sr->password, b_sr->passwordlen))) - return 0; - if ((iso & ISO_CLIENTPROTO) && - (a->socks_request->listener_type != b->socks_request->listener_type || - a->socks_request->socks_version != b->socks_request->socks_version)) - return 0; - if ((iso & ISO_CLIENTADDR) && - !tor_addr_eq(&TO_CONN(a)->addr, &TO_CONN(b)->addr)) - return 0; - if ((iso & ISO_SESSIONGRP) && a->session_group != b->session_group) - return 0; - if ((iso & ISO_NYM_EPOCH) && a->nym_epoch != b->nym_epoch) - return 0; - - return 1; -} - /** * Return true iff none of the isolation flags and fields in <b>conn</b> * should prevent it from being attached to <b>circ</b>. diff --git a/src/or/connection_edge.h b/src/or/connection_edge.h index 85293a0..36aead1 100644 --- a/src/or/connection_edge.h +++ b/src/or/connection_edge.h @@ -105,8 +105,6 @@ hostname_type_t parse_extended_hostname(char *address, int allowdotexit); int get_pf_socket(void); #endif -int connection_edge_streams_are_compatible(const edge_connection_t *a, - const edge_connection_t *b); int connection_edge_compatible_with_circuit(const edge_connection_t *conn, const origin_circuit_t *circ); int connection_edge_update_circuit_isolation(const edge_connection_t *conn,

1 0

r24946: {website} apply patch from jeremy to fix the project layout, standardi (in website/trunk: css en images)
by Andrew Lewman 07 Aug '11

07 Aug '11

Author: phobos Date: 2011-08-07 21:16:31 +0000 (Sun, 07 Aug 2011) New Revision: 24946 Modified: website/trunk/css/layout-rtl.css website/trunk/css/layout.css website/trunk/css/typography.css website/trunk/en/index.wml website/trunk/images/icon-Arm.jpg website/trunk/images/icon-Tails.jpg website/trunk/images/icon-TorBrowser.jpg website/trunk/images/icon-TorButton.jpg website/trunk/images/icon-TorCheck.jpg website/trunk/images/icon-TorStatus.jpg website/trunk/images/icon-Vidalia.jpg Log: apply patch from jeremy to fix the project layout, standardize project icons, and css fixes for both rtl and ltr languages. Modified: website/trunk/css/layout-rtl.css =================================================================== --- website/trunk/css/layout-rtl.css 2011-08-04 17:48:07 UTC (rev 24945) +++ website/trunk/css/layout-rtl.css 2011-08-07 21:16:31 UTC (rev 24946) @@ -181,6 +181,15 @@ background-position: left top; } +.project { + float: right; + } + +.project img { + margin-right: 0px; + margin-left: 6px; + } + .meta { float: left; } Modified: website/trunk/css/layout.css =================================================================== --- website/trunk/css/layout.css 2011-08-04 17:48:07 UTC (rev 24945) +++ website/trunk/css/layout.css 2011-08-07 21:16:31 UTC (rev 24946) @@ -417,13 +417,34 @@ text-align: center; padding: 4px 0; } - .fauxhead { background: url(../images/table-arrow.jpg) right top no-repeat; width: 100%; height: 11px; } +#home-our-projects td { + height: 92px; + width: 296px; + padding: 6px; + } + +.project { + float: left; + padding: 6px; + border: 1px solid #CAC8A7; + height: 76px; + width: 284px; + -webkit-border-radius: 10px; + -moz-border-radius: 10px; + border-radius: 10px; + } + +.project img { + border: none; + margin-right: 6px; + } + .beige { background: #f5f5df; } .gray { background: #e0e0e0; } @@ -502,7 +523,7 @@ } .featured-project { width: 313px; } - + /* FORM ------------*/ input, select { @@ -662,13 +683,13 @@ text-align: center; color: #222222; border: 2px solid #cbcbaf; - background-color: #ffffed; + background-color: #ffffed; padding: 20px 20px; width: 163px; margin: 0px 0px 0px 10px; - -webkit-border-radius: 5px; - -moz-border-radius: 5px; - border-radius: 5px; + -webkit-border-radius: 5px; + -moz-border-radius: 5px; + border-radius: 5px; } .dbox p { @@ -697,18 +718,18 @@ .dbox input:focus , .dbox select:focus { - -moz-box-shadow: 0px 0px 4px #cbcbaf; - -webkit-box-shadow: 0px 0px 4px #cbcbaf; - box-shadow: 0px 0px 4px #cbcbaf; - border:2px solid #cbcbaf; - background-color: #FFFFFF; - } + -moz-box-shadow: 0px 0px 4px #cbcbaf; + -webkit-box-shadow: 0px 0px 4px #cbcbaf; + box-shadow: 0px 0px 4px #cbcbaf; + border:2px solid #cbcbaf; + background-color: #FFFFFF; + } .dbox input.radio { - border: 0px solid; - background: #ffffed; - padding: 0px 0px; - } + border: 0px solid; + background: #ffffed; + padding: 0px 0px; + } .dbox select.cur { margin-right: 5px; @@ -733,14 +754,14 @@ width: 122px; margin-top: 0px; display: block; - background-color: transparent; - color: transparent; - border:0px solid transparent; - -webkit-border-radius: 5px; - -moz-border-radius: 5px; - border-radius: 5px; - margin: 10px auto 10px auto; - padding: 0px 0px 0px 0px; + background-color: transparent; + color: transparent; + border:0px solid transparent; + -webkit-border-radius: 5px; + -moz-border-radius: 5px; + border-radius: 5px; + margin: 10px auto 10px auto; + padding: 0px 0px 0px 0px; } .dbox span { @@ -847,9 +868,9 @@ width: 115px; margin-top: -3px; display: inline-block; - background-color: transparent; - color: transparent; - border:0px solid transparent; + background-color: transparent; + color: transparent; + border:0px solid transparent; } .dbox.dsmall { @@ -868,9 +889,9 @@ height: auto; margin-top: 0px; display: block; - background-color: transparent; - color: transparent; - border:0px solid transparent; + background-color: transparent; + color: transparent; + border:0px solid transparent; } .dbox.dsmall div label { Modified: website/trunk/css/typography.css =================================================================== --- website/trunk/css/typography.css 2011-08-04 17:48:07 UTC (rev 24945) +++ website/trunk/css/typography.css 2011-08-07 21:16:31 UTC (rev 24946) @@ -216,6 +216,11 @@ padding-left: 10px; margin: 0; } + +.project p { + line-height: 18px; +} + table h3 { font-size: 1.167em; } table p { margin: 0; Modified: website/trunk/en/index.wml =================================================================== --- website/trunk/en/index.wml 2011-08-04 17:48:07 UTC (rev 24945) +++ website/trunk/en/index.wml 2011-08-07 21:16:31 UTC (rev 24946) @@ -57,17 +57,21 @@ license: LGPL v2 --> <td> + <div class="project"> <a href="http://tails.boum.org/"><img src="$(IMGROOT)/icon-Tails.jpg" alt="Tails Icon"></a> <h3><a href="http://tails.boum.org/">Tails</a></h3> <p>Live CD/USB distribution preconfigured to use Tor safely.</p> + </div> </td> <td> + <div class="project"> <a href="https://guardianproject.info/apps/orbot/"><img src="$(IMGROOT)/icon-Orbot.jpg" alt="Orbot Icon"></a> <h3><a href="https://guardianproject.info/apps/orbot/">Orbot</a></h3> <p>Tor for <a href="https://code.google.com/android/">Google Android</a> devices.</p> + </div> </td> </tr> <tr> @@ -77,10 +81,12 @@ license: LGPL v3 --> <td> + <div class="project"> <a href="http://torstatus.blutmagie.de/"><img src="$(IMGROOT)/icon-TorStatus.jpg" alt="TorStatus Icon"></a> <h3><a href="http://torstatus.blutmagie.de/">TorStatus</a></h3> <p>Site providing an overview of the Tor network.</p> + </div> </td>  <td> + <div class="project"> <a href="http://www.atagar.com/arm/"><img src="$(IMGROOT)/icon-Arm.jpg" alt="Arm Icon"></a> <h3><a href="http://www.atagar.com/arm/">Arm</a></h3> <p>Terminal application for monitoring and configuring Tor.</p> + </div> </td> </tr> <tr> <td> + <div class="project"> <a href="<page torbutton/index>"><img src="$(IMGROOT)/icon-TorButton.jpg" alt="Torbutton Icon"></a> <h3><a href="<page torbutton/index>">Torbutton</a></h3> <p>Torbutton is a 1-click way for Firefox users to enable or disable Tor in Firefox.</p> + </div> </td> <td> + <div class="project"> <a href="https://check.torproject.org/"><img src="$(IMGROOT)/icon-TorCheck.jpg" alt="Tor Check Icon"></a> <h3><a href="https://check.torproject.org/">Check</a></h3> <p>Check determines if you are successfully browsing with Tor.</p> + </div> </td> </tr> <tr> <td> + <div class="project"> <a href="<page projects/vidalia>"><img src="$(IMGROOT)/icon-Vidalia.jpg" alt="Vidalia Icon"></a> <h3><a href="<page projects/vidalia>">Vidalia</a></h3> <p>Vidalia is a graphical way to control and view Tor's connections and settings.</p> + </div> </td> <td> + <div class="project"> <a href="<page projects/torbrowser>"><img src="$(IMGROOT)/icon-TorBrowser.jpg" alt="TorBrowser Icon"></a> <h3><a href="<page projects/torbrowser>">Tor Browser</a></h3> <p>Tor Browser contains everything you need to safely browse the Internet. </p> + </div> </td> </tr> </table> Modified: website/trunk/images/icon-Arm.jpg =================================================================== (Binary files differ) Modified: website/trunk/images/icon-Tails.jpg =================================================================== (Binary files differ) Modified: website/trunk/images/icon-TorBrowser.jpg =================================================================== (Binary files differ) Modified: website/trunk/images/icon-TorButton.jpg =================================================================== (Binary files differ) Modified: website/trunk/images/icon-TorCheck.jpg =================================================================== (Binary files differ) Modified: website/trunk/images/icon-TorStatus.jpg =================================================================== (Binary files differ) Modified: website/trunk/images/icon-Vidalia.jpg =================================================================== (Binary files differ)

1 0

[arm/master] Scripts for overriding system wide torrc
by atagar＠torproject.org 07 Aug '11

07 Aug '11

commit 881ae570ebbc486376ec1fe36488804c93a7976e Author: Damian Johnson <atagar(a)torproject.org> Date: Tue Jul 26 18:20:52 2011 -0700 Scripts for overriding system wide torrc Editing scripts made by Jake for overriding a root owned system wide torrc with an alternate made by arm. For more information see: https://trac.torproject.org/projects/tor/ticket/3629 --- src/resources/torrc-override/override.c | 50 ++++++ src/resources/torrc-override/override.h | 1 + src/resources/torrc-override/override.py | 265 ++++++++++++++++++++++++++++++ 3 files changed, 316 insertions(+), 0 deletions(-) diff --git a/src/resources/torrc-override/override.c b/src/resources/torrc-override/override.c new file mode 100644 index 0000000..b989584 --- /dev/null +++ b/src/resources/torrc-override/override.c @@ -0,0 +1,50 @@ +// +// This is a very small C wrapper that invokes +// $(DESTDIR)/usr/bin/tor-arm-replace-torrc.py to work around setuid scripting +// issues on the Gnu/Linux operating system. +// +// We assume you have installed it as such for GROUP +// "debian-arm" - This should ensure that only members of the GROUP group will +// be allowed to run this program. When run this program will execute the +// $(DESTDIR)/usr/bin/tor-arm-replace-torrc.py program and will run with the +// uid and group as marked by the OS. +// +// Compile it like so: +// +// make +// +// Or by hand like so: +// +// gcc -o tor-arm-replace-torrc tor-arm-replace-torrc.c +// +// Make it useful like so: +// +// chown root:debian-arm tor-arm-replace-torrc +// chmod 04750 tor-arm-replace-torrc +// +// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!WARNING!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +// +// If you place a user inside of the $GROUP - they are now able to reconfigure +// Tor. This may lead them to do nasty things on your system. If you start Tor +// as root, you should consider that adding a user to $GROUP is similar to +// giving those users root directly. +// +// This program was written simply to help a users who run arm locally and is +// not required if arm is communicating with a remote Tor process. +// +// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!WARNING!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +// +// + +#include <stdio.h> +#include <stdlib.h> +#include <sys/types.h> +#include <unistd.h> +#include "tor-arm-replace-torrc.h" + +int main() +{ + return execve(TOR_ARM_REPLACE_TORRC, NULL, NULL); +} diff --git a/src/resources/torrc-override/override.h b/src/resources/torrc-override/override.h new file mode 100644 index 0000000..65adc9d --- /dev/null +++ b/src/resources/torrc-override/override.h @@ -0,0 +1 @@ +#define TOR_ARM_REPLACE_TORRC HELPER_NAME diff --git a/src/resources/torrc-override/override.py b/src/resources/torrc-override/override.py new file mode 100755 index 0000000..6cfdbc6 --- /dev/null +++ b/src/resources/torrc-override/override.py @@ -0,0 +1,265 @@ +#!/usr/bin/python + +""" +This overwrites the system wide torrc, located at /etc/tor/torrc, with the +contents of the ARM_CONFIG_FILE. The system wide torrc is owned by root so +this will effectively need root permissions and for us to be in GROUP. + +This file is completely unusable until we make a tor-arm user and perform +other prep by running with the '--init' argument. + +After that's done this is meant to either be used by arm automatically after +writing a torrc to ARM_CONFIG_FILE or by users manually. For arm to use this +automatically you'll either need to... + +- compile torrc-override.c, setuid on the binary, and move it to your path + cd /usr/share/arm/resources/torrc-override + make + chown root:tor-arm override + chmod 04750 override + mv override /usr/bin/torrc-override + +- allow passwordless sudo for this script + edit /etc/sudoers and add a line with: + <arm user> ALL= NOPASSWD: /usr/share/arm/resources/torrc-override/override.py + +To perform this manually run: +/usr/share/arm/resources/torrc-override/override.py +pkill -sighup tor +""" + +import os +import sys +import grp +import pwd +import time +import shutil +import tempfile +import signal + +USER = "tor-arm" +GROUP = "tor-arm" +TOR_CONFIG_FILE = "/etc/tor/torrc" +ARM_CONFIG_FILE = "/var/lib/tor-arm/torrc" + +HELP_MSG = """Usage %s [OPTION] + Backup the system wide torrc (%s) and replace it with the + contents of %s. + + --init creates the necessary user and paths + --remove reverts changes made with --init +""" % (os.path.basename(sys.argv[0]), TOR_CONFIG_FILE, ARM_CONFIG_FILE) + +def init(): + """ + Performs system preparation needed for this script to run, adding the tor-arm + user and setting up paths/permissions. + """ + + # the following is just here if we have a custom destination directory (which + # arm doesn't currently account for) + if not os.path.exists("/bin/"): + print "making '/bin'..." + os.mkdir("/bin") + + if not os.path.exists("/var/lib/tor-arm/"): + print "making '/var/lib/tor-arm'..." + os.makedirs("/var/lib/tor-arm") + + if not os.path.exists("/var/lib/tor-arm/torrc"): + print "making '/var/lib/tor-arm/torrc'..." + open("/var/lib/tor-arm/torrc", 'w').close() + + try: gid = grp.getgrnam(GROUP).gr_gid + except KeyError: + print "adding %s group..." % GROUP + os.system("addgroup --quiet --system %s" % GROUP) + gid = grp.getgrnam(GROUP).gr_gid + print " done, gid: %s" % gid + + try: pwd.getpwnam(USER).pw_uid + except KeyError: + print "adding %s user..." % USER + os.system("adduser --quiet --ingroup %s --no-create-home --home /var/lib/tor-arm/ --shell /bin/sh --system %s" % (GROUP, USER)) + uid = pwd.getpwnam(USER).pw_uid + print " done, uid: %s" % uid + + os.chown("/bin", 0, 0) + os.chown("/var/lib/tor-arm", 0, gid) + os.chmod("/var/lib/tor-arm", 0750) + os.chown("/var/lib/tor-arm/torrc", 0, gid) + os.chmod("/var/lib/tor-arm/torrc", 0760) + +def remove(): + """ + Reverts the changes made by init, and also removes the optional + /bin/torrc-override binary if it exists. + """ + + print "removing %s user..." % USER + os.system("deluser --quiet %s" % USER) + + print "removing %s group..." % GROUP + os.system("delgroup --quiet %s" % GROUP) + + # might not exist since this is compiled and placed separately + try: + print "removing '/bin/torrc-override'..." + os.remove("/bin/torrc-override") + except OSError: + print " no such path" + + try: + print "removing '/var/lib/tor-arm'..." + shutil.rmtree("/var/lib/tor-arm/") + except Exception, exc: + print " unsuccessful: %s" % exc + +def replaceTorrc(): + orig_uid = os.getuid() + orig_euid = os.geteuid() + + # the USER and GROUP must exist on this system + try: + dropped_uid = pwd.getpwnam(USER).pw_uid + dropped_gid = grp.getgrnam(GROUP).gr_gid + dropped_euid, dropped_egid = dropped_uid, dropped_gid + except KeyError: + print "tor-arm user and group was not found, have you run this script with '--init'?" + exit(1) + + # if we're actually root, we skip this group check + # root can get away with all of this + if orig_uid != 0: + # check that the user is in GROUP + if not dropped_gid in os.getgroups(): + print "Your user needs to be a member of the %s group for this to work" % GROUP + sys.exit(1) + + # drop to the unprivileged group, and lose the rest of the groups + os.setgid(dropped_gid) + os.setegid(dropped_egid) + os.setresgid(dropped_gid, dropped_egid, dropped_gid) + os.setgroups([dropped_gid]) + + # make a tempfile and write out the contents + try: + tf = tempfile.NamedTemporaryFile(delete=False) # uses mkstemp internally + + # allows our child process to write to tf.name (not only if their uid matches, not their gid) + os.chown(tf.name, dropped_uid, orig_euid) + except: + print "We were unable to make a temporary file" + sys.exit(1) + + fork_pid = os.fork() + + # open the suspect config after we drop privs + # we assume the dropped privs are still enough to write to the tf + if (fork_pid == 0): + signal.signal(signal.SIGCHLD, signal.SIG_IGN) + + # Drop privs forever in the child process + # I believe this drops os.setfsuid os.setfsgid stuff + # Clear all other supplemental groups for dropped_uid + os.setgroups([dropped_gid]) + os.setresgid(dropped_gid, dropped_egid, dropped_gid) + os.setresuid(dropped_uid, dropped_euid, dropped_uid) + os.setgid(dropped_gid) + os.setegid(dropped_egid) + os.setuid(dropped_uid) + os.seteuid(dropped_euid) + + try: + af = open(ARM_CONFIG_FILE) # this is totally unpriv'ed + + # ensure that the fd we opened has the properties we requrie + configStat = os.fstat(af.fileno()) # this happens on the unpriv'ed FD + if configStat.st_gid != dropped_gid: + print "Arm's configuration file (%s) must be owned by the group %s" % (ARM_CONFIG_FILE, GROUP) + sys.exit(1) + + # if everything checks out, we're as safe as we're going to get + armConfig = af.read(1024 * 1024) # limited read but not too limited + af.close() + tf.file.write(armConfig) + tf.flush() + except: + print "Unable to open the arm config as unpriv'ed user" + sys.exit(1) + finally: + tf.close() + sys.exit(0) + else: + # If we're here, we're in the parent waiting for the child's death + # man, unix is really weird... + _, status = os.waitpid(fork_pid, 0) + + if status != 0: + print "The child seems to have failed; exiting!" + tf.close() + sys.exit(1) + + # attempt to verify that the config is OK + if os.path.exists(tf.name): + # construct our SU string + SUSTRING = "su -c 'tor --verify-config -f " + str(tf.name) + "' " + USER + # We raise privs to drop them with 'su' + os.setuid(0) + os.seteuid(0) + os.setgid(0) + os.setegid(0) + # We drop privs here and exec tor to verify it as the dropped_uid + print "Using Tor to verify that arm will not break Tor's config:" + success = os.system(SUSTRING) + if success != 0: + print "Tor says the new configuration file is invalid: %s (%s)" % (ARM_CONFIG_FILE, tf.name) + sys.exit(1) + + # backup the previous tor config + if os.path.exists(TOR_CONFIG_FILE): + try: + backupFilename = "%s_backup_%i" % (TOR_CONFIG_FILE, int(time.time())) + shutil.copy(TOR_CONFIG_FILE, backupFilename) + except IOError, exc: + print "Unable to backup %s (%s)" % (TOR_CONFIG_FILE, exc) + sys.exit(1) + + # overwrites TOR_CONFIG_FILE with ARM_CONFIG_FILE as loaded into tf.name + try: + shutil.copy(tf.name, TOR_CONFIG_FILE) + print "Successfully reconfigured Tor" + except IOError, exc: + print "Unable to copy %s to %s (%s)" % (tf.name, TOR_CONFIG_FILE, exc) + sys.exit(1) + + # unlink our temp file + try: + os.remove(tf.name) + except: + print "Unable to close temp file %s" % tf.name + sys.exit(1) + + sys.exit(0) + +if __name__ == "__main__": + # sanity check that we're on linux + if os.name != "posix": + print "This is a script specifically for configuring Linux" + sys.exit(1) + + # check that we're running effectively as root + if os.geteuid() != 0: + print "This script needs to be run as root" + sys.exit(1) + + if len(sys.argv) < 2: + replaceTorrc() + elif len(sys.argv) == 2 and sys.argv[1] == "--init": + init() + elif len(sys.argv) == 2 and sys.argv[1] == "--remove": + remove() + else: + print HELP_MSG + sys.exit(1) +

1 0

[arm/master] fix: renaming torrc-override to torrcOverride
by atagar＠torproject.org 07 Aug '11

07 Aug '11

commit b05003e808913ec89a206ae9abec7031392e902b Author: Damian Johnson <atagar(a)torproject.org> Date: Tue Jul 26 19:26:51 2011 -0700 fix: renaming torrc-override to torrcOverride Everything else uses camel case so changing to match. --- src/resources/torrc-override/override.c | 50 ------ src/resources/torrc-override/override.h | 1 - src/resources/torrc-override/override.py | 265 ------------------------------ src/resources/torrcOverride/override.c | 50 ++++++ src/resources/torrcOverride/override.h | 1 + src/resources/torrcOverride/override.py | 265 ++++++++++++++++++++++++++++++ 6 files changed, 316 insertions(+), 316 deletions(-) diff --git a/src/resources/torrc-override/override.c b/src/resources/torrc-override/override.c deleted file mode 100644 index b989584..0000000 --- a/src/resources/torrc-override/override.c +++ /dev/null @@ -1,50 +0,0 @@ -// -// This is a very small C wrapper that invokes -// $(DESTDIR)/usr/bin/tor-arm-replace-torrc.py to work around setuid scripting -// issues on the Gnu/Linux operating system. -// -// We assume you have installed it as such for GROUP -// "debian-arm" - This should ensure that only members of the GROUP group will -// be allowed to run this program. When run this program will execute the -// $(DESTDIR)/usr/bin/tor-arm-replace-torrc.py program and will run with the -// uid and group as marked by the OS. -// -// Compile it like so: -// -// make -// -// Or by hand like so: -// -// gcc -o tor-arm-replace-torrc tor-arm-replace-torrc.c -// -// Make it useful like so: -// -// chown root:debian-arm tor-arm-replace-torrc -// chmod 04750 tor-arm-replace-torrc -// -// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!WARNING!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -// -// If you place a user inside of the $GROUP - they are now able to reconfigure -// Tor. This may lead them to do nasty things on your system. If you start Tor -// as root, you should consider that adding a user to $GROUP is similar to -// giving those users root directly. -// -// This program was written simply to help a users who run arm locally and is -// not required if arm is communicating with a remote Tor process. -// -// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!WARNING!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -// -// - -#include <stdio.h> -#include <stdlib.h> -#include <sys/types.h> -#include <unistd.h> -#include "tor-arm-replace-torrc.h" - -int main() -{ - return execve(TOR_ARM_REPLACE_TORRC, NULL, NULL); -} diff --git a/src/resources/torrc-override/override.h b/src/resources/torrc-override/override.h deleted file mode 100644 index 65adc9d..0000000 --- a/src/resources/torrc-override/override.h +++ /dev/null @@ -1 +0,0 @@ -#define TOR_ARM_REPLACE_TORRC HELPER_NAME diff --git a/src/resources/torrc-override/override.py b/src/resources/torrc-override/override.py deleted file mode 100755 index 6cfdbc6..0000000 --- a/src/resources/torrc-override/override.py +++ /dev/null @@ -1,265 +0,0 @@ -#!/usr/bin/python - -""" -This overwrites the system wide torrc, located at /etc/tor/torrc, with the -contents of the ARM_CONFIG_FILE. The system wide torrc is owned by root so -this will effectively need root permissions and for us to be in GROUP. - -This file is completely unusable until we make a tor-arm user and perform -other prep by running with the '--init' argument. - -After that's done this is meant to either be used by arm automatically after -writing a torrc to ARM_CONFIG_FILE or by users manually. For arm to use this -automatically you'll either need to... - -- compile torrc-override.c, setuid on the binary, and move it to your path - cd /usr/share/arm/resources/torrc-override - make - chown root:tor-arm override - chmod 04750 override - mv override /usr/bin/torrc-override - -- allow passwordless sudo for this script - edit /etc/sudoers and add a line with: - <arm user> ALL= NOPASSWD: /usr/share/arm/resources/torrc-override/override.py - -To perform this manually run: -/usr/share/arm/resources/torrc-override/override.py -pkill -sighup tor -""" - -import os -import sys -import grp -import pwd -import time -import shutil -import tempfile -import signal - -USER = "tor-arm" -GROUP = "tor-arm" -TOR_CONFIG_FILE = "/etc/tor/torrc" -ARM_CONFIG_FILE = "/var/lib/tor-arm/torrc" - -HELP_MSG = """Usage %s [OPTION] - Backup the system wide torrc (%s) and replace it with the - contents of %s. - - --init creates the necessary user and paths - --remove reverts changes made with --init -""" % (os.path.basename(sys.argv[0]), TOR_CONFIG_FILE, ARM_CONFIG_FILE) - -def init(): - """ - Performs system preparation needed for this script to run, adding the tor-arm - user and setting up paths/permissions. - """ - - # the following is just here if we have a custom destination directory (which - # arm doesn't currently account for) - if not os.path.exists("/bin/"): - print "making '/bin'..." - os.mkdir("/bin") - - if not os.path.exists("/var/lib/tor-arm/"): - print "making '/var/lib/tor-arm'..." - os.makedirs("/var/lib/tor-arm") - - if not os.path.exists("/var/lib/tor-arm/torrc"): - print "making '/var/lib/tor-arm/torrc'..." - open("/var/lib/tor-arm/torrc", 'w').close() - - try: gid = grp.getgrnam(GROUP).gr_gid - except KeyError: - print "adding %s group..." % GROUP - os.system("addgroup --quiet --system %s" % GROUP) - gid = grp.getgrnam(GROUP).gr_gid - print " done, gid: %s" % gid - - try: pwd.getpwnam(USER).pw_uid - except KeyError: - print "adding %s user..." % USER - os.system("adduser --quiet --ingroup %s --no-create-home --home /var/lib/tor-arm/ --shell /bin/sh --system %s" % (GROUP, USER)) - uid = pwd.getpwnam(USER).pw_uid - print " done, uid: %s" % uid - - os.chown("/bin", 0, 0) - os.chown("/var/lib/tor-arm", 0, gid) - os.chmod("/var/lib/tor-arm", 0750) - os.chown("/var/lib/tor-arm/torrc", 0, gid) - os.chmod("/var/lib/tor-arm/torrc", 0760) - -def remove(): - """ - Reverts the changes made by init, and also removes the optional - /bin/torrc-override binary if it exists. - """ - - print "removing %s user..." % USER - os.system("deluser --quiet %s" % USER) - - print "removing %s group..." % GROUP - os.system("delgroup --quiet %s" % GROUP) - - # might not exist since this is compiled and placed separately - try: - print "removing '/bin/torrc-override'..." - os.remove("/bin/torrc-override") - except OSError: - print " no such path" - - try: - print "removing '/var/lib/tor-arm'..." - shutil.rmtree("/var/lib/tor-arm/") - except Exception, exc: - print " unsuccessful: %s" % exc - -def replaceTorrc(): - orig_uid = os.getuid() - orig_euid = os.geteuid() - - # the USER and GROUP must exist on this system - try: - dropped_uid = pwd.getpwnam(USER).pw_uid - dropped_gid = grp.getgrnam(GROUP).gr_gid - dropped_euid, dropped_egid = dropped_uid, dropped_gid - except KeyError: - print "tor-arm user and group was not found, have you run this script with '--init'?" - exit(1) - - # if we're actually root, we skip this group check - # root can get away with all of this - if orig_uid != 0: - # check that the user is in GROUP - if not dropped_gid in os.getgroups(): - print "Your user needs to be a member of the %s group for this to work" % GROUP - sys.exit(1) - - # drop to the unprivileged group, and lose the rest of the groups - os.setgid(dropped_gid) - os.setegid(dropped_egid) - os.setresgid(dropped_gid, dropped_egid, dropped_gid) - os.setgroups([dropped_gid]) - - # make a tempfile and write out the contents - try: - tf = tempfile.NamedTemporaryFile(delete=False) # uses mkstemp internally - - # allows our child process to write to tf.name (not only if their uid matches, not their gid) - os.chown(tf.name, dropped_uid, orig_euid) - except: - print "We were unable to make a temporary file" - sys.exit(1) - - fork_pid = os.fork() - - # open the suspect config after we drop privs - # we assume the dropped privs are still enough to write to the tf - if (fork_pid == 0): - signal.signal(signal.SIGCHLD, signal.SIG_IGN) - - # Drop privs forever in the child process - # I believe this drops os.setfsuid os.setfsgid stuff - # Clear all other supplemental groups for dropped_uid - os.setgroups([dropped_gid]) - os.setresgid(dropped_gid, dropped_egid, dropped_gid) - os.setresuid(dropped_uid, dropped_euid, dropped_uid) - os.setgid(dropped_gid) - os.setegid(dropped_egid) - os.setuid(dropped_uid) - os.seteuid(dropped_euid) - - try: - af = open(ARM_CONFIG_FILE) # this is totally unpriv'ed - - # ensure that the fd we opened has the properties we requrie - configStat = os.fstat(af.fileno()) # this happens on the unpriv'ed FD - if configStat.st_gid != dropped_gid: - print "Arm's configuration file (%s) must be owned by the group %s" % (ARM_CONFIG_FILE, GROUP) - sys.exit(1) - - # if everything checks out, we're as safe as we're going to get - armConfig = af.read(1024 * 1024) # limited read but not too limited - af.close() - tf.file.write(armConfig) - tf.flush() - except: - print "Unable to open the arm config as unpriv'ed user" - sys.exit(1) - finally: - tf.close() - sys.exit(0) - else: - # If we're here, we're in the parent waiting for the child's death - # man, unix is really weird... - _, status = os.waitpid(fork_pid, 0) - - if status != 0: - print "The child seems to have failed; exiting!" - tf.close() - sys.exit(1) - - # attempt to verify that the config is OK - if os.path.exists(tf.name): - # construct our SU string - SUSTRING = "su -c 'tor --verify-config -f " + str(tf.name) + "' " + USER - # We raise privs to drop them with 'su' - os.setuid(0) - os.seteuid(0) - os.setgid(0) - os.setegid(0) - # We drop privs here and exec tor to verify it as the dropped_uid - print "Using Tor to verify that arm will not break Tor's config:" - success = os.system(SUSTRING) - if success != 0: - print "Tor says the new configuration file is invalid: %s (%s)" % (ARM_CONFIG_FILE, tf.name) - sys.exit(1) - - # backup the previous tor config - if os.path.exists(TOR_CONFIG_FILE): - try: - backupFilename = "%s_backup_%i" % (TOR_CONFIG_FILE, int(time.time())) - shutil.copy(TOR_CONFIG_FILE, backupFilename) - except IOError, exc: - print "Unable to backup %s (%s)" % (TOR_CONFIG_FILE, exc) - sys.exit(1) - - # overwrites TOR_CONFIG_FILE with ARM_CONFIG_FILE as loaded into tf.name - try: - shutil.copy(tf.name, TOR_CONFIG_FILE) - print "Successfully reconfigured Tor" - except IOError, exc: - print "Unable to copy %s to %s (%s)" % (tf.name, TOR_CONFIG_FILE, exc) - sys.exit(1) - - # unlink our temp file - try: - os.remove(tf.name) - except: - print "Unable to close temp file %s" % tf.name - sys.exit(1) - - sys.exit(0) - -if __name__ == "__main__": - # sanity check that we're on linux - if os.name != "posix": - print "This is a script specifically for configuring Linux" - sys.exit(1) - - # check that we're running effectively as root - if os.geteuid() != 0: - print "This script needs to be run as root" - sys.exit(1) - - if len(sys.argv) < 2: - replaceTorrc() - elif len(sys.argv) == 2 and sys.argv[1] == "--init": - init() - elif len(sys.argv) == 2 and sys.argv[1] == "--remove": - remove() - else: - print HELP_MSG - sys.exit(1) - diff --git a/src/resources/torrcOverride/override.c b/src/resources/torrcOverride/override.c new file mode 100644 index 0000000..b989584 --- /dev/null +++ b/src/resources/torrcOverride/override.c @@ -0,0 +1,50 @@ +// +// This is a very small C wrapper that invokes +// $(DESTDIR)/usr/bin/tor-arm-replace-torrc.py to work around setuid scripting +// issues on the Gnu/Linux operating system. +// +// We assume you have installed it as such for GROUP +// "debian-arm" - This should ensure that only members of the GROUP group will +// be allowed to run this program. When run this program will execute the +// $(DESTDIR)/usr/bin/tor-arm-replace-torrc.py program and will run with the +// uid and group as marked by the OS. +// +// Compile it like so: +// +// make +// +// Or by hand like so: +// +// gcc -o tor-arm-replace-torrc tor-arm-replace-torrc.c +// +// Make it useful like so: +// +// chown root:debian-arm tor-arm-replace-torrc +// chmod 04750 tor-arm-replace-torrc +// +// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!WARNING!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +// +// If you place a user inside of the $GROUP - they are now able to reconfigure +// Tor. This may lead them to do nasty things on your system. If you start Tor +// as root, you should consider that adding a user to $GROUP is similar to +// giving those users root directly. +// +// This program was written simply to help a users who run arm locally and is +// not required if arm is communicating with a remote Tor process. +// +// XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +// !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!WARNING!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! +// +// + +#include <stdio.h> +#include <stdlib.h> +#include <sys/types.h> +#include <unistd.h> +#include "tor-arm-replace-torrc.h" + +int main() +{ + return execve(TOR_ARM_REPLACE_TORRC, NULL, NULL); +} diff --git a/src/resources/torrcOverride/override.h b/src/resources/torrcOverride/override.h new file mode 100644 index 0000000..65adc9d --- /dev/null +++ b/src/resources/torrcOverride/override.h @@ -0,0 +1 @@ +#define TOR_ARM_REPLACE_TORRC HELPER_NAME diff --git a/src/resources/torrcOverride/override.py b/src/resources/torrcOverride/override.py new file mode 100755 index 0000000..3e42892 --- /dev/null +++ b/src/resources/torrcOverride/override.py @@ -0,0 +1,265 @@ +#!/usr/bin/python + +""" +This overwrites the system wide torrc, located at /etc/tor/torrc, with the +contents of the ARM_CONFIG_FILE. The system wide torrc is owned by root so +this will effectively need root permissions and for us to be in GROUP. + +This file is completely unusable until we make a tor-arm user and perform +other prep by running with the '--init' argument. + +After that's done this is meant to either be used by arm automatically after +writing a torrc to ARM_CONFIG_FILE or by users manually. For arm to use this +automatically you'll either need to... + +- compile override.c, setuid on the binary, and move it to your path + cd /usr/share/arm/resources/torrcOverride + make + chown root:tor-arm override + chmod 04750 override + mv override /usr/bin/torrc-override + +- allow passwordless sudo for this script + edit /etc/sudoers and add a line with: + <arm user> ALL= NOPASSWD: /usr/share/arm/resources/torrcOverride/override.py + +To perform this manually run: +/usr/share/arm/resources/torrcOverride/override.py +pkill -sighup tor +""" + +import os +import sys +import grp +import pwd +import time +import shutil +import tempfile +import signal + +USER = "tor-arm" +GROUP = "tor-arm" +TOR_CONFIG_FILE = "/etc/tor/torrc" +ARM_CONFIG_FILE = "/var/lib/tor-arm/torrc" + +HELP_MSG = """Usage %s [OPTION] + Backup the system wide torrc (%s) and replace it with the + contents of %s. + + --init creates the necessary user and paths + --remove reverts changes made with --init +""" % (os.path.basename(sys.argv[0]), TOR_CONFIG_FILE, ARM_CONFIG_FILE) + +def init(): + """ + Performs system preparation needed for this script to run, adding the tor-arm + user and setting up paths/permissions. + """ + + # the following is just here if we have a custom destination directory (which + # arm doesn't currently account for) + if not os.path.exists("/bin/"): + print "making '/bin'..." + os.mkdir("/bin") + + if not os.path.exists("/var/lib/tor-arm/"): + print "making '/var/lib/tor-arm'..." + os.makedirs("/var/lib/tor-arm") + + if not os.path.exists("/var/lib/tor-arm/torrc"): + print "making '/var/lib/tor-arm/torrc'..." + open("/var/lib/tor-arm/torrc", 'w').close() + + try: gid = grp.getgrnam(GROUP).gr_gid + except KeyError: + print "adding %s group..." % GROUP + os.system("addgroup --quiet --system %s" % GROUP) + gid = grp.getgrnam(GROUP).gr_gid + print " done, gid: %s" % gid + + try: pwd.getpwnam(USER).pw_uid + except KeyError: + print "adding %s user..." % USER + os.system("adduser --quiet --ingroup %s --no-create-home --home /var/lib/tor-arm/ --shell /bin/sh --system %s" % (GROUP, USER)) + uid = pwd.getpwnam(USER).pw_uid + print " done, uid: %s" % uid + + os.chown("/bin", 0, 0) + os.chown("/var/lib/tor-arm", 0, gid) + os.chmod("/var/lib/tor-arm", 0750) + os.chown("/var/lib/tor-arm/torrc", 0, gid) + os.chmod("/var/lib/tor-arm/torrc", 0760) + +def remove(): + """ + Reverts the changes made by init, and also removes the optional + /bin/torrc-override binary if it exists. + """ + + print "removing %s user..." % USER + os.system("deluser --quiet %s" % USER) + + print "removing %s group..." % GROUP + os.system("delgroup --quiet %s" % GROUP) + + # might not exist since this is compiled and placed separately + try: + print "removing '/bin/torrc-override'..." + os.remove("/bin/torrc-override") + except OSError: + print " no such path" + + try: + print "removing '/var/lib/tor-arm'..." + shutil.rmtree("/var/lib/tor-arm/") + except Exception, exc: + print " unsuccessful: %s" % exc + +def replaceTorrc(): + orig_uid = os.getuid() + orig_euid = os.geteuid() + + # the USER and GROUP must exist on this system + try: + dropped_uid = pwd.getpwnam(USER).pw_uid + dropped_gid = grp.getgrnam(GROUP).gr_gid + dropped_euid, dropped_egid = dropped_uid, dropped_gid + except KeyError: + print "tor-arm user and group was not found, have you run this script with '--init'?" + exit(1) + + # if we're actually root, we skip this group check + # root can get away with all of this + if orig_uid != 0: + # check that the user is in GROUP + if not dropped_gid in os.getgroups(): + print "Your user needs to be a member of the %s group for this to work" % GROUP + sys.exit(1) + + # drop to the unprivileged group, and lose the rest of the groups + os.setgid(dropped_gid) + os.setegid(dropped_egid) + os.setresgid(dropped_gid, dropped_egid, dropped_gid) + os.setgroups([dropped_gid]) + + # make a tempfile and write out the contents + try: + tf = tempfile.NamedTemporaryFile(delete=False) # uses mkstemp internally + + # allows our child process to write to tf.name (not only if their uid matches, not their gid) + os.chown(tf.name, dropped_uid, orig_euid) + except: + print "We were unable to make a temporary file" + sys.exit(1) + + fork_pid = os.fork() + + # open the suspect config after we drop privs + # we assume the dropped privs are still enough to write to the tf + if (fork_pid == 0): + signal.signal(signal.SIGCHLD, signal.SIG_IGN) + + # Drop privs forever in the child process + # I believe this drops os.setfsuid os.setfsgid stuff + # Clear all other supplemental groups for dropped_uid + os.setgroups([dropped_gid]) + os.setresgid(dropped_gid, dropped_egid, dropped_gid) + os.setresuid(dropped_uid, dropped_euid, dropped_uid) + os.setgid(dropped_gid) + os.setegid(dropped_egid) + os.setuid(dropped_uid) + os.seteuid(dropped_euid) + + try: + af = open(ARM_CONFIG_FILE) # this is totally unpriv'ed + + # ensure that the fd we opened has the properties we requrie + configStat = os.fstat(af.fileno()) # this happens on the unpriv'ed FD + if configStat.st_gid != dropped_gid: + print "Arm's configuration file (%s) must be owned by the group %s" % (ARM_CONFIG_FILE, GROUP) + sys.exit(1) + + # if everything checks out, we're as safe as we're going to get + armConfig = af.read(1024 * 1024) # limited read but not too limited + af.close() + tf.file.write(armConfig) + tf.flush() + except: + print "Unable to open the arm config as unpriv'ed user" + sys.exit(1) + finally: + tf.close() + sys.exit(0) + else: + # If we're here, we're in the parent waiting for the child's death + # man, unix is really weird... + _, status = os.waitpid(fork_pid, 0) + + if status != 0: + print "The child seems to have failed; exiting!" + tf.close() + sys.exit(1) + + # attempt to verify that the config is OK + if os.path.exists(tf.name): + # construct our SU string + SUSTRING = "su -c 'tor --verify-config -f " + str(tf.name) + "' " + USER + # We raise privs to drop them with 'su' + os.setuid(0) + os.seteuid(0) + os.setgid(0) + os.setegid(0) + # We drop privs here and exec tor to verify it as the dropped_uid + print "Using Tor to verify that arm will not break Tor's config:" + success = os.system(SUSTRING) + if success != 0: + print "Tor says the new configuration file is invalid: %s (%s)" % (ARM_CONFIG_FILE, tf.name) + sys.exit(1) + + # backup the previous tor config + if os.path.exists(TOR_CONFIG_FILE): + try: + backupFilename = "%s_backup_%i" % (TOR_CONFIG_FILE, int(time.time())) + shutil.copy(TOR_CONFIG_FILE, backupFilename) + except IOError, exc: + print "Unable to backup %s (%s)" % (TOR_CONFIG_FILE, exc) + sys.exit(1) + + # overwrites TOR_CONFIG_FILE with ARM_CONFIG_FILE as loaded into tf.name + try: + shutil.copy(tf.name, TOR_CONFIG_FILE) + print "Successfully reconfigured Tor" + except IOError, exc: + print "Unable to copy %s to %s (%s)" % (tf.name, TOR_CONFIG_FILE, exc) + sys.exit(1) + + # unlink our temp file + try: + os.remove(tf.name) + except: + print "Unable to close temp file %s" % tf.name + sys.exit(1) + + sys.exit(0) + +if __name__ == "__main__": + # sanity check that we're on linux + if os.name != "posix": + print "This is a script specifically for configuring Linux" + sys.exit(1) + + # check that we're running effectively as root + if os.geteuid() != 0: + print "This script needs to be run as root" + sys.exit(1) + + if len(sys.argv) < 2: + replaceTorrc() + elif len(sys.argv) == 2 and sys.argv[1] == "--init": + init() + elif len(sys.argv) == 2 and sys.argv[1] == "--remove": + remove() + else: + print HELP_MSG + sys.exit(1) +

1 0

[arm/master] fix: existance check before removing paths
by atagar＠torproject.org 07 Aug '11

07 Aug '11

commit 3af68f600f58f3a791958a94d274d70676efeec7 Author: Damian Johnson <atagar(a)torproject.org> Date: Wed Jul 27 06:19:13 2011 -0700 fix: existance check before removing paths --- src/resources/torrcOverride/override.py | 23 ++++++++++++----------- 1 files changed, 12 insertions(+), 11 deletions(-) diff --git a/src/resources/torrcOverride/override.py b/src/resources/torrcOverride/override.py index 3e42892..21e6b28 100755 --- a/src/resources/torrcOverride/override.py +++ b/src/resources/torrcOverride/override.py @@ -102,18 +102,19 @@ def remove(): print "removing %s group..." % GROUP os.system("delgroup --quiet %s" % GROUP) - # might not exist since this is compiled and placed separately - try: - print "removing '/bin/torrc-override'..." - os.remove("/bin/torrc-override") - except OSError: - print " no such path" + if os.path.exists("/bin/torrc-override"): + try: + print "removing '/bin/torrc-override'..." + os.remove("/bin/torrc-override") + except OSError, exc: + print " unsuccessful: %s" % exc - try: - print "removing '/var/lib/tor-arm'..." - shutil.rmtree("/var/lib/tor-arm/") - except Exception, exc: - print " unsuccessful: %s" % exc + if os.path.exists("/var/lib/tor-arm/"): + try: + print "removing '/var/lib/tor-arm'..." + shutil.rmtree("/var/lib/tor-arm/") + except Exception, exc: + print " unsuccessful: %s" % exc def replaceTorrc(): orig_uid = os.getuid()

1 0

[arm/master] fix: hardcoding path for override script
by atagar＠torproject.org 07 Aug '11

07 Aug '11

commit f1792cdb7790c4dbfbff4f244aeb0a9bf0dc4f11 Author: Damian Johnson <atagar(a)torproject.org> Date: Wed Jul 27 11:10:31 2011 -0700 fix: hardcoding path for override script Header file for the setuid wrapper required on the make file for determining the path for the python script it executes. Moving this into the header file instead. --- src/resources/torrcOverride/override.h | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/resources/torrcOverride/override.h b/src/resources/torrcOverride/override.h index 65adc9d..8bb8869 100644 --- a/src/resources/torrcOverride/override.h +++ b/src/resources/torrcOverride/override.h @@ -1 +1 @@ -#define TOR_ARM_REPLACE_TORRC HELPER_NAME +#define TOR_ARM_REPLACE_TORRC /usr/share/arm/resources/torrcOverride/override.py

1 0

[arm/master] Added validation that torrc is wizard generated
by atagar＠torproject.org 07 Aug '11

07 Aug '11

commit 8f313c620eeec6bfa3c5845fb5c3a7ff187f82ea Author: Damian Johnson <atagar(a)torproject.org> Date: Wed Jul 27 07:44:34 2011 -0700 Added validation that torrc is wizard generated Doing regex checks that the options match what the arm wizard would produce. --- src/resources/torrcOverride/override.py | 92 ++++++++++++++++++++++++++++--- 1 files changed, 83 insertions(+), 9 deletions(-) diff --git a/src/resources/torrcOverride/override.py b/src/resources/torrcOverride/override.py index 21e6b28..dffa3a5 100755 --- a/src/resources/torrcOverride/override.py +++ b/src/resources/torrcOverride/override.py @@ -29,6 +29,7 @@ pkill -sighup tor """ import os +import re import sys import grp import pwd @@ -41,13 +42,40 @@ USER = "tor-arm" GROUP = "tor-arm" TOR_CONFIG_FILE = "/etc/tor/torrc" ARM_CONFIG_FILE = "/var/lib/tor-arm/torrc" +RUN_VERIFY = True # use 'tor --verify-config' to check the torrc + +# regex patterns for options the wizard may include +WIZARD_OPT = ("^DataDirectory \S+$", + "^Log notice file \S+$", + "^ControlPort 9052$", + "^CookieAuthentication 1$", + "^RunAsDaemon 1$", + "^User \S+$", + "^ORPort (443|9001)$", + "^DirPort (80|9030)$", + "^Nickname ", + "^ContactInfo ", + "^BridgeRelay 1$", + "^PublishServerDescriptor 0$", + "^RelayBandwidthRate ", + "^RelayBandwidthBurst ", + "^AccountingMax ", + "^SocksPort 0$", + "^PortForwarding 1$", + "^ExitPolicy (accept|reject) \S+$", + "^DirPortFrontPage \S+$", + "^ClientOnly 1$", + "^MaxCircuitDirtiness ", + "^UseBridges 1$", + "^Bridge ") HELP_MSG = """Usage %s [OPTION] Backup the system wide torrc (%s) and replace it with the contents of %s. - --init creates the necessary user and paths - --remove reverts changes made with --init + --init creates the necessary user and paths + --remove reverts changes made with --init + --validate PATH checks if the given file is wizard generated """ % (os.path.basename(sys.argv[0]), TOR_CONFIG_FILE, ARM_CONFIG_FILE) def init(): @@ -196,27 +224,37 @@ def replaceTorrc(): # man, unix is really weird... _, status = os.waitpid(fork_pid, 0) - if status != 0: + if status != 0 or not os.path.exists(tf.name): print "The child seems to have failed; exiting!" tf.close() sys.exit(1) # attempt to verify that the config is OK - if os.path.exists(tf.name): - # construct our SU string - SUSTRING = "su -c 'tor --verify-config -f " + str(tf.name) + "' " + USER - # We raise privs to drop them with 'su' + if RUN_VERIFY: + # raise privilages to drop them with 'su' os.setuid(0) os.seteuid(0) os.setgid(0) os.setegid(0) - # We drop privs here and exec tor to verify it as the dropped_uid + + # drop privilages and exec tor to verify it as the dropped_uid print "Using Tor to verify that arm will not break Tor's config:" - success = os.system(SUSTRING) + verifyCmd = "su -c 'tor --verify-config -f %s' %s" % (tf.name, USER) + success = os.system(verifyCmd) + if success != 0: print "Tor says the new configuration file is invalid: %s (%s)" % (ARM_CONFIG_FILE, tf.name) sys.exit(1) + # validates that the torrc matches what the wizard could produce + torrcFile = open(tf.name) + torrcContents = torrcFile.readlines() + torrcFile.close() + + if not isWizardGenerated(torrcContents): + print "torrc doesn't match what we'd expect from the setup wizard" + sys.exit(1) + # backup the previous tor config if os.path.exists(TOR_CONFIG_FILE): try: @@ -243,6 +281,34 @@ def replaceTorrc(): sys.exit(0) +def isWizardGenerated(torrcLines): + """ + True if the given torrc contents could be generated by the wizard, false + otherwise. This just checks the basic format and options used, not the + validity of most generated values so this could still be rejected by tor. + """ + + wizardPatterns = [re.compile(opt) for opt in WIZARD_OPT] + + for line in torrcLines: + commentStart = line.find("#") + if commentStart != -1: line = line[:commentStart] + + line = line.strip() + if not line: continue # blank line + + isRecognized = False + for pattern in wizardPatterns: + if pattern.match(line): + isRecognized = True + break + + if not isRecognized: + print "Unrecognized torrc contents: %s" % line + return False + + return True + if __name__ == "__main__": # sanity check that we're on linux if os.name != "posix": @@ -260,6 +326,14 @@ if __name__ == "__main__": init() elif len(sys.argv) == 2 and sys.argv[1] == "--remove": remove() + elif len(sys.argv) == 3 and sys.argv[1] == "--validate": + torrcFile = open(sys.argv[2]) + torrcContents = torrcFile.readlines() + torrcFile.close() + + isValid = isWizardGenerated(torrcContents) + if isValid: print "torrc validated" + else: print "torrc invalid" else: print HELP_MSG sys.exit(1)

1 0

[arm/master] fix: skipping torrc backup when for system copy
by atagar＠torproject.org 07 Aug '11

07 Aug '11

commit 784d618b22a800f3abe148b0cb178b12cc7f3d05 Author: Damian Johnson <atagar(a)torproject.org> Date: Wed Jul 27 13:35:40 2011 -0700 fix: skipping torrc backup when for system copy The wizard attempts to back up the torrc but, if we're editing the system copy, we'll lack the permissions for this. The override.py makes its own backup so this is fine. --- src/cli/wizard.py | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/cli/wizard.py b/src/cli/wizard.py index 31f2f70..6d9d488 100644 --- a/src/cli/wizard.py +++ b/src/cli/wizard.py @@ -353,7 +353,7 @@ def showWizard(): # if the torrc already exists then save it to a _bak file isBackedUp = False - if os.path.exists(torrcLocation): + if os.path.exists(torrcLocation) and not isSystemReplace: try: shutil.copy(torrcLocation, torrcLocation + "_bak") isBackedUp = True

1 0

[arm/master] Wizard hooks for configuring system wide torrc
by atagar＠torproject.org 07 Aug '11

07 Aug '11

commit ec49c74ba52d9410d6f108a4e76dfad063d40500 Author: Damian Johnson <atagar(a)torproject.org> Date: Wed Jul 27 12:10:02 2011 -0700 Wizard hooks for configuring system wide torrc Providing an option to apply the wizard config to the system wide torrc if it's available (user has already done the --init prep). --- src/cli/wizard.py | 98 +++++++++++++++++++++++++++++++++++++++++++++++------ src/settings.cfg | 4 ++ 2 files changed, 91 insertions(+), 11 deletions(-) diff --git a/src/cli/wizard.py b/src/cli/wizard.py index 08e9d0b..31f2f70 100644 --- a/src/cli/wizard.py +++ b/src/cli/wizard.py @@ -24,7 +24,7 @@ TORRC_TEMPLATE = "resources/torrcTemplate.txt" RelayType = enum.Enum("RESUME", "RELAY", "EXIT", "BRIDGE", "CLIENT") # all options that can be configured -Options = enum.Enum("DIVIDER", "CONTROL", "NICKNAME", "CONTACT", "NOTIFY", "BANDWIDTH", "LIMIT", "CLIENT", "LOWPORTS", "PORTFORWARD", "STARTUP", "RSHUTDOWN", "CSHUTDOWN", "NOTICE", "POLICY", "WEBSITES", "EMAIL", "IM", "MISC", "PLAINTEXT", "DISTRIBUTE", "BRIDGED", "BRIDGE1", "BRIDGE2", "BRIDGE3", "REUSE") +Options = enum.Enum("DIVIDER", "CONTROL", "NICKNAME", "CONTACT", "NOTIFY", "BANDWIDTH", "LIMIT", "CLIENT", "LOWPORTS", "PORTFORWARD", "SYSTEM", "STARTUP", "RSHUTDOWN", "CSHUTDOWN", "NOTICE", "POLICY", "WEBSITES", "EMAIL", "IM", "MISC", "PLAINTEXT", "DISTRIBUTE", "BRIDGED", "BRIDGE1", "BRIDGE2", "BRIDGE3", "REUSE") RelayOptions = {RelayType.RELAY: (Options.NICKNAME, Options.CONTACT, Options.NOTIFY, @@ -34,7 +34,8 @@ RelayOptions = {RelayType.RELAY: (Options.NICKNAME, Options.LOWPORTS, Options.PORTFORWARD, Options.STARTUP, - Options.RSHUTDOWN), + Options.RSHUTDOWN, + Options.SYSTEM), RelayType.EXIT: (Options.NICKNAME, Options.CONTACT, Options.NOTIFY, @@ -45,6 +46,7 @@ RelayOptions = {RelayType.RELAY: (Options.NICKNAME, Options.PORTFORWARD, Options.STARTUP, Options.RSHUTDOWN, + Options.SYSTEM, Options.DIVIDER, Options.NOTICE, Options.POLICY, @@ -60,13 +62,15 @@ RelayOptions = {RelayType.RELAY: (Options.NICKNAME, Options.LOWPORTS, Options.PORTFORWARD, Options.STARTUP, - Options.RSHUTDOWN), + Options.RSHUTDOWN, + Options.SYSTEM), RelayType.CLIENT: (Options.BRIDGED, Options.BRIDGE1, Options.BRIDGE2, Options.BRIDGE3, Options.REUSE, - Options.CSHUTDOWN)} + Options.CSHUTDOWN, + Options.SYSTEM)} # option sets CUSTOM_POLICIES = (Options.WEBSITES, Options.EMAIL, Options.IM, Options.MISC, Options.PLAINTEXT) @@ -95,6 +99,12 @@ VERSION_REQUIREMENTS = {Options.PORTFORWARD: "0.2.3.1-alpha"} TOR_DEFAULTS = {Options.BANDWIDTH: "5 MB", Options.REUSE: "10 minutes"} +# path for the torrc to be placed if replacing the torrc for the system wide +# tor instance +SYSTEM_DROP_PATH = "/var/lib/tor-arm/torrc" +OVERRIDE_SCRIPT = "/usr/share/arm/resources/torrcOverride/override.py" +OVERRIDE_SETUID_SCRIPT = "/usr/bin/torrc-override" + CONFIG = {"wizard.message.role": "", "wizard.message.relay": "", "wizard.message.exit": "", @@ -306,6 +316,13 @@ def showWizard(): if not sysTools.isAvailable("tor-fw-helper"): disabledOpt.append(Options.PORTFORWARD) + # If we haven't run 'resources/torrcOverride/override.py --init' or lack + # permissions then we aren't able to deal with the system wide tor instance. + # Also drop the optoin if we aren't installed since override.py won't be at + # the expected path. + if not os.path.exists(SYSTEM_DROP_PATH) or not os.path.exists(OVERRIDE_SCRIPT): + disabledOpt.append(Options.SYSTEM) + while True: if relayType == None: selection = promptRelayType(relaySelection) @@ -331,16 +348,26 @@ def showWizard(): if confirmationSelection == NEXT: log.log(log.INFO, "Writing torrc to '%s':\n%s" % (torrcLocation, generatedTorrc)) + isSystemReplace = not Options.SYSTEM in disabledOpt and config[Options.SYSTEM].getValue() + if isSystemReplace: torrcLocation = SYSTEM_DROP_PATH + # if the torrc already exists then save it to a _bak file isBackedUp = False if os.path.exists(torrcLocation): - shutil.copy(torrcLocation, torrcLocation + "_bak") - isBackedUp = True + try: + shutil.copy(torrcLocation, torrcLocation + "_bak") + isBackedUp = True + except IOError, exc: + log.log(log.WARN, "Unable to backup the torrc: %s" % exc) # writes the torrc contents - torrcFile = open(torrcLocation, "w") - torrcFile.write(generatedTorrc) - torrcFile.close() + try: + torrcFile = open(torrcLocation, "w") + torrcFile.write(generatedTorrc) + torrcFile.close() + except IOError, exc: + log.log(log.ERR, "Unable to make torrc: %s" % exc) + break # logs where we placed the torrc msg = "Tor configuration placed at '%s'" % torrcLocation @@ -367,7 +394,53 @@ def showWizard(): msg = "Exit notice placed at '%s/index.html'. Some of the sections are specific to US relay operators so please change the \"FIXME\" sections if this is inappropriate." % dst log.log(log.NOTICE, msg) - if manager.isTorrcAvailable(): + runCommand, exitCode = None, 1 + + if isSystemReplace: + # running override.py needs root so... + # - if running as root (bad user, no biscuit!) then run it directly + # - if the setuid binary is available at '/usr/bin/torrc-override' + # then use that + # - attempt sudo in case passwordless sudo is available + # - if all of the above fail then log instructions + + if os.geteuid() == 0: runCommand = OVERRIDE_SCRIPT + elif os.path.exists(OVERRIDE_SETUID_SCRIPT): runCommand = OVERRIDE_SETUID_SCRIPT + else: + # The -n argument to sudo is *supposed* to be available starting + # with 1.7.0 [1] however this is a dirty lie (Ubuntu 9.10 uses + # 1.7.0 and even has the option in its man page, but it doesn't + # work). Instead checking for version 1.7.1. + # + # [1] http://www.sudo.ws/pipermail/sudo-users/2009-January/003889.html + + sudoVersionResult = sysTools.call("sudo -V") + + # version output looks like "Sudo version 1.7.2p7" + if len(sudoVersionResult) == 1 and sudoVersionResult.count(" ") >= 2: + versionNum = 0 + + for comp in sudoVersionResult[0].split(" ")[2].split("."): + if comp and comp[0].isdigit(): + versionNum = (10 * versionNum) + int(comp) + else: + # invalid format + log.log(log.INFO, "Unrecognized sudo version string: %s" % sudoVersionResult[0]) + versionNum = 0 + break + + if versionNum >= 171: + runCommand = "sudo -n %s" % OVERRIDE_SCRIPT + else: + log.log(log.INFO, "Insufficient sudo version for the -n argument") + + if runCommand: exitCode = os.system("%s > /dev/null 2>&1" % runCommand) + + if exitCode != 0: + msg = "Tor needs root permissions to replace the system wide torrc. To continue...\n- open another terminal\n- run \"sudo %s\"\n- press 'x' here to tell tor to reload" % OVERRIDE_SCRIPT + log.log(log.NOTICE, msg) + else: torTools.getConn().reload() + elif manager.isTorrcAvailable(): # If we're connected to a managed instance then just need to # issue a sighup to pick up the new settings. Otherwise starts # a new tor instance. @@ -603,9 +676,12 @@ def getTorrc(relayType, config, disabledOpt): dataDir = cli.controller.getController().getDataDirectory() templateOptions["NOTICE_PATH"] = "%sexitNotice/index.html" % dataDir templateOptions["LOG_ENTRY"] = "notice file %stor_log" % dataDir - templateOptions["DATA_DIR"] = "%stor_data" % dataDir templateOptions["USERNAME"] = getpass.getuser() + # using custom data directory, unless this is for a system wide instance + if not config[Options.SYSTEM].getValue() or Options.SYSTEM in disabledOpt: + templateOptions["DATA_DIR"] = "%stor_data" % dataDir + policyCategories = [] if not config[Options.POLICY].getValue(): policyCategories = ["web", "mail", "im", "misc"] diff --git a/src/settings.cfg b/src/settings.cfg index 750ae9e..9154ed5 100644 --- a/src/settings.cfg +++ b/src/settings.cfg @@ -354,6 +354,7 @@ wizard.toggle Portforward => Enabled, Disabled wizard.toggle Startup => Yes, No wizard.toggle Rshutdown => Yes, No wizard.toggle Cshutdown => Yes, No +wizard.toggle System => Yes, No wizard.toggle Notice => Yes, No wizard.toggle Policy => Custom, Default wizard.toggle Websites => Allow, Block @@ -383,6 +384,7 @@ wizard.default Bandwidth => 5 MB/s wizard.default Startup => true wizard.default Rshutdown => false wizard.default Cshutdown => true +wizard.default System => true wizard.default Client => false wizard.default Lowports => true wizard.default Portforward => true @@ -421,6 +423,7 @@ wizard.label.opt Portforward => Port Forwarding wizard.label.opt Startup => Run At Startup wizard.label.opt Rshutdown => Shutdown With Arm wizard.label.opt Cshutdown => Shutdown With Arm +wizard.label.opt System => Use System Instance wizard.label.opt Notice => Disclaimer Notice wizard.label.opt Policy => Exit Policy wizard.label.opt Websites => Web Browsing @@ -452,6 +455,7 @@ wizard.description.opt Portforward => If needed, attempts NAT traversal using UP wizard.description.opt Startup => Runs Tor in the background when the system starts. wizard.description.opt Rshutdown => When you quit arm the Tor process is stopped thirty seconds later. This delay is so people using you can gracefully switch their circuits. wizard.description.opt Cshutdown => Stops the Tor process when you quit arm. +wizard.description.opt System => Use the system wide tor instance rather than making one of our own. wizard.description.opt Notice => Provides a disclaimer that this is an exit on port 80 (http://www.atagar.com/exitNotice) wizard.description.opt Policy => Ports allowed to exit from your relay. The default policy allows for common services while limiting the chance of getting a DMCA takedown for torrent traffic (http://www.atagar.com/exitPolicy) wizard.description.opt Websites => General Internet browsing including HTTP (80), HTTPS (443), common alternatives (81, 8008), and proxies (3128, 8080)

1 0

[arm/master] fix: avoiding setresuid/gid if unavailable
by atagar＠torproject.org 07 Aug '11

07 Aug '11

commit 4a1604958c6da5862c344f4d7ba6f0e0560daa23 Author: Damian Johnson <atagar(a)torproject.org> Date: Sat Aug 6 15:35:00 2011 -0700 fix: avoiding setresuid/gid if unavailable The os.setresuid and os.setresgid functions are only available in Python 2.7 and later. Arm aims for 2.5 compatability so using os.setreuid/gid if running a prior version. This, unfortunately, means that the saved uid is not reduced which might be a vulnerability - hopefully Jake will know of an alternative if this is a concern. --- src/resources/torrcOverride/override.py | 26 +++++++++++++++++++++++--- 1 files changed, 23 insertions(+), 3 deletions(-) diff --git a/src/resources/torrcOverride/override.py b/src/resources/torrcOverride/override.py index b99ae95..8261eab 100755 --- a/src/resources/torrcOverride/override.py +++ b/src/resources/torrcOverride/override.py @@ -145,6 +145,13 @@ def remove(): print " unsuccessful: %s" % exc def replaceTorrc(): + # TODO: The setresgid and setresuid functions are only available in + # python 2.7 (arm aims for 2.5 compatability). I'm not spotting a method + # for setting the saved user id without it, though. :/ + + majorVersion, minorVersion = sys.version_info[:2] + canSetSavedUid = majorVersion >= 3 or (majorVersion == 2 and minorVersion >= 7) + orig_uid = os.getuid() orig_euid = os.geteuid() @@ -168,7 +175,13 @@ def replaceTorrc(): # drop to the unprivileged group, and lose the rest of the groups os.setgid(dropped_gid) os.setegid(dropped_egid) - os.setresgid(dropped_gid, dropped_egid, dropped_gid) + + if canSetSavedUid: + # only usable in python 2.7 or later + os.setresgid(dropped_gid, dropped_egid, dropped_gid) + else: + os.setregid(dropped_gid, dropped_egid) + os.setgroups([dropped_gid]) # make a tempfile and write out the contents @@ -192,8 +205,15 @@ def replaceTorrc(): # I believe this drops os.setfsuid os.setfsgid stuff # Clear all other supplemental groups for dropped_uid os.setgroups([dropped_gid]) - os.setresgid(dropped_gid, dropped_egid, dropped_gid) - os.setresuid(dropped_uid, dropped_euid, dropped_uid) + + if canSetSavedUid: + # only usable in python 2.7 or later + os.setresgid(dropped_gid, dropped_egid, dropped_gid) + os.setresuid(dropped_uid, dropped_euid, dropped_uid) + else: + os.setregid(dropped_gid, dropped_egid) + os.setreuid(dropped_uid, dropped_euid) + os.setgid(dropped_gid) os.setegid(dropped_egid) os.setuid(dropped_uid)

1 0