commit 98959f63aca84e605fb98f10d943f2d28d627039 Author: Sebastian Hahn sebastian@torproject.org Date: Thu Dec 8 09:19:09 2011 +0100

Disallow disabling DisableDebuggerAttachment on runnning Tor

Also, have tor_disable_debugger_attach() return a tristate of success/failure/don't-know-how , and only log appropriately. --- doc/tor.1.txt | 4 ++-- src/common/compat.c | 9 +++++---- src/or/config.c | 33 +++++++++++++++++++++++++++------ 3 files changed, 34 insertions(+), 12 deletions(-)

diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 91a7c69..fcc566e 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -282,8 +282,8 @@ Other options can be specified either on the command-line (--option to alter the system wide ptrace scope as it may not even exist. If you wish to attach to Tor with a debugger such as gdb or strace you will want to set this to 0 for the duration of your debugging. Normal users should leave it - on. (Default: 1) - + on. Disabling this option while Tor is running is prohibited. (Default: 1) + **FetchDirInfoEarly** **0**|**1**:: If set to 1, Tor will always fetch directory information like other directory caches, even if you don't meet the normal criteria for fetching diff --git a/src/common/compat.c b/src/common/compat.c index 27e0060..ff9d877 100644 --- a/src/common/compat.c +++ b/src/common/compat.c @@ -1542,8 +1542,8 @@ switch_id(const char *user) * CAP_SYS_PTRACE and so it is very likely that root will still be able to * attach to the Tor process. */ -/** Attempt to disable debugger attachment: return 0 on success, -1 on - * failure. */ +/** Attempt to disable debugger attachment: return 1 on success, -1 on + * failure, and 0 if we don't know how to try on this platform. */ int tor_disable_debugger_attach(void) { @@ -1568,11 +1568,12 @@ tor_disable_debugger_attach(void)

// XXX: TODO - Mac OS X has dtrace and this may be disabled. // XXX: TODO - Windows probably has something similar - if (r == 0) { + if (r == 0 && attempted) { log_debug(LD_CONFIG,"Debugger attachment disabled for " "unprivileged users."); + return 1; } else if (attempted) { - log_warn(LD_CONFIG, "Unable to disable ptrace attach: %s", + log_warn(LD_CONFIG, "Unable to disable debugger attaching: %s", strerror(errno)); } return r; diff --git a/src/or/config.c b/src/or/config.c index 740a9db..b118f30 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -1326,12 +1326,26 @@ options_act(const or_options_t *old_options) const int transition_affects_workers = old_options && options_transition_affects_workers(old_options, options);

- /* disable ptrace and later, other basic debugging techniques */ - if (options->DisableDebuggerAttachment) { - tor_disable_debugger_attach(); - } else { - log_notice(LD_CONFIG,"Debugger attachment enabled " - "for unprivileged users."); + /* disable ptrace and later, other basic debugging techniques */ + { + /* Remember if we already disabled debugger attachment */ + static int disabled_debugger_attach = 0; + /* Remember if we already warned about being configured not to disable + * debugger attachment */ + static int warned_debugger_attach = 0; + if (options->DisableDebuggerAttachment && !disabled_debugger_attach) { + int ok = tor_disable_debugger_attach(); + if (warned_debugger_attach && ok == 1) { + log_notice(LD_CONFIG, "Disabled attaching debuggers for unprivileged " + "users."); + } + disabled_debugger_attach = (ok == 1); + } else if (!options->DisableDebuggerAttachment && + !warned_debugger_attach) { + log_notice(LD_CONFIG, "Not disabling debugger attaching for " + "unprivileged users."); + warned_debugger_attach = 1; + } }

if (running_tor && !have_lockfile()) { @@ -4170,6 +4184,13 @@ options_transition_allowed(const or_options_t *old, return -1; }

+ if (old->DisableDebuggerAttachment && + !new_val->DisableDebuggerAttachment) { + *msg = tor_strdup("While Tor is running, disabling " + "DisableDebuggerAttachment is not allowed."); + return -1; + } + return 0; }