commit 847e001d288b7d02d589d8df699e84d4d6d363b6 Author: Yawning Angel yawning@schwanenlied.me Date: Fri Sep 30 18:43:31 2016 +0000
Bug 20261: Disable IsolateClientAddr on AF_LOCAL SocksPorts.
The client addr is essentially meaningless in this context (yes, it is possible to explicitly `bind()` AF_LOCAL client side sockets to a path, but no one does it, and there are better ways to grant that sort of feature if people want it like using `SO_PASSCRED`). --- changes/bug20261 | 4 ++++ doc/tor.1.txt | 5 +++-- src/or/config.c | 7 +++++++ 3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/changes/bug20261 b/changes/bug20261 new file mode 100644 index 0000000..dfdd159 --- /dev/null +++ b/changes/bug20261 @@ -0,0 +1,4 @@ + o Minor bugfixes (client, unix domain sockets): + - Disable IsolateClientAddr when using AF_UNIX backed SocksPorts + as the client address is meaningless. Fixes bug 20261; bugfix on + 0.2.6.3-alpha. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 2e73b27..330f0c1 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1046,8 +1046,9 @@ The following options are useful only for clients (that is, if another. Recognized isolation flags are: **IsolateClientAddr**;; Don't share circuits with streams from a different - client address. (On by default and strongly recommended; - you can disable it with **NoIsolateClientAddr**.) + client address. (On by default and strongly recommended when + supported; you can disable it with **NoIsolateClientAddr**. + Unsupported and force-disabled when using Unix domain sockets.) **IsolateSOCKSAuth**;; Don't share circuits with streams for which different SOCKS authentication was provided. (On by default; diff --git a/src/or/config.c b/src/or/config.c index 18cbe34..93e753b 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -6838,6 +6838,13 @@ parse_port_config(smartlist_t *out, goto err; }
+ if (unix_socket_path && (isolation & ISO_CLIENTADDR)) { + /* `IsolateClientAddr` is nonsensical in the context of AF_LOCAL. + * just silently remove the isolation flag. + */ + isolation &= ~ISO_CLIENTADDR; + } + if (out && port) { size_t namelen = unix_socket_path ? strlen(unix_socket_path) : 0; port_cfg_t *cfg = port_cfg_new(namelen);