commit 68114ca52cbed0b7970a60717be4ca22ffdc5d00 Merge: f634228 f79a75f Author: Nick Mathewson nickm@torproject.org Date: Thu Nov 24 23:38:32 2011 -0500
Merge remote-tracking branch 'ioerror/DisableDebuggerAttachment'
Conflicts: src/or/config.c
changes/disable_debugger_attachment | 14 ++++++++ doc/tor.1.txt | 14 ++++++++ src/or/config.c | 57 +++++++++++++++++++++++++++++++++++ src/or/or.h | 2 + 4 files changed, 87 insertions(+), 0 deletions(-)
diff --cc src/or/config.c index ef9e4ec,5a153b0..b8ff6e8 --- a/src/or/config.c +++ b/src/or/config.c @@@ -42,9 -40,14 +42,17 @@@
#include "procmon.h"
+/* From main.c */ +extern int quiet_level; + + /* Includes for the process attaching prevention */ + #if defined(HAVE_SYS_PRCTL_H) && defined(__linux__) + #include <sys/prctl.h> + #elif defined(__APPLE__) + #include <sys/types.h> + #include <sys/ptrace.h> + #endif + /** Enumeration of types which option values can take */ typedef enum config_type_t { CONFIG_TYPE_STRING = 0, /**< An arbitrary string. */ @@@ -246,8 -246,9 +254,9 @@@ static config_var_t _option_vars[] = V(DirReqStatistics, BOOL, "1"), VAR("DirServer", LINELIST, DirServers, NULL), V(DisableAllSwap, BOOL, "0"), + V(DisableDebuggerAttachment, BOOL, "1"), V(DisableIOCP, BOOL, "1"), - V(DNSPort, PORT, "0"), + V(DNSPort, LINELIST, NULL), V(DNSListenAddress, LINELIST, NULL), V(DownloadExtraInfo, BOOL, "0"), V(EnforceDistinctSubnets, BOOL, "1"), @@@ -678,9 -658,50 +687,50 @@@ get_dirportfrontpage(void return global_dirfrontpagecontents; }
+ /* We only use the linux prctl for now. There is no Win32 support; this may + * also work on various BSD systems and Mac OS X - send testing feedback! + * + * On recent Gnu/Linux kernels it is possible to create a system-wide policy + * that will prevent non-root processes from attaching to other processes + * unless they are the parent process; thus gdb can attach to programs that + * they execute but they cannot attach to other processes running as the same + * user. The system wide policy may be set with the sysctl + * kernel.yama.ptrace_scope or by inspecting /proc/sys/kernel/yama/ptrace_scope + * and it is 1 by default on Ubuntu 11.04. + * + * This ptrace scope will be ignored on Gnu/Linux for users with + * CAP_SYS_PTRACE and so it is very likely that root will still be able to + * attach to the Tor process. + */ + /** Attempt to disable debugger attachment. */ + static int tor_disable_debugger_attach(void) { + int r; + r = -1; + log_debug(LD_CONFIG, + "Attemping to disable debugger attachment to Tor for unprivileged users."); + #if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) && defined(HAVE_PRCTL) + #ifdef PR_SET_DUMPABLE + r = prctl(PR_SET_DUMPABLE, 0); + #endif + #endif + #if defined(__APPLE__) && defined(PT_DENY_ATTACH) + r = ptrace(PT_DENY_ATTACH, 0, 0, 0); + #endif + + // XXX: TODO - Mac OS X has dtrace and this may be disabled - implement it here + // XXX: TODO - Windows probably has something similar - implement it here + if (r == 0) { + log_debug(LD_CONFIG,"Debugger attachment disabled for unprivileged users."); + } else { + log_warn(LD_CONFIG, "Unable to disable ptrace attach: %s", + strerror(errno)); + } + return r; + } + /** Allocate an empty configuration object of a given format type. */ static void * -config_alloc(config_format_t *fmt) +config_alloc(const config_format_t *fmt) { void *opts = tor_malloc_zero(fmt->size); *(uint32_t*)STRUCT_VAR_P(opts, fmt->magic_offset) = fmt->magic; @@@ -1277,15 -1238,20 +1327,22 @@@ get_effective_bwburst(const or_options_ * here yet. Some is still in do_hup() and other places. */ static int -options_act(or_options_t *old_options) +options_act(const or_options_t *old_options) { config_line_t *cl; - or_options_t *options = get_options(); + or_options_t *options = get_options_mutable(); int running_tor = options->command == CMD_RUN_TOR; char *msg; + const int transition_affects_workers = + old_options && options_transition_affects_workers(old_options, options);
+ /* disable ptrace and later, other basic debugging techniques */ + if (options->DisableDebuggerAttachment) { + tor_disable_debugger_attach(); + } else { + log_notice(LD_CONFIG,"Debugger attachment enabled for unprivileged users."); + } + if (running_tor && !have_lockfile()) { if (try_locking(options, 1) < 0) return -1;