commit d03ab856ed770a8a7f925648f3ebd23f3e7e46c8 Author: Shawn Landden shawn@churchofgit.com Date: Wed Dec 2 02:24:29 2015 -0800

Detect capabilities in torsocks wrapper

In addition to trying to detect them in the torsocks library, we also check for capabilities in the torsocks wrapper.

Signed-off-by: Shawn Landden shawn@churchofgit.com Signed-off-by: David Goulet dgoulet@ev0ke.net --- src/bin/torsocks.in | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/bin/torsocks.in b/src/bin/torsocks.in index 2a459b3..5102fdc 100644 --- a/src/bin/torsocks.in +++ b/src/bin/torsocks.in @@ -96,21 +96,36 @@ tor_shell () torify_app () { local app_path=`which $1` - - # NEVER remove that line or else nothing it torified. - set_ld_preload + local getcap=`PATH="$PATH:/usr/sbin:/sbin" which getcap` + local caps=

if [ -z $1 ]; then echo "Please provide an application to torify." >&2 elif [ -z $app_path ]; then echo "ERROR: $1 cannot be found." >&2 exit 1 - elif [ -u $app_path ]; then + fi + + # This must be before torifying because getcap uses cap_get_file(3) + # via syscall(2) which breaks torsocks. + if [ -n $getcap ]; then + caps=`$getcap $app_path` + fi + + # NEVER remove that line or else nothing it torified. + set_ld_preload + + if [ -u $app_path ]; then echo "ERROR: $1 is setuid. torsocks will not work on a setuid executable." >&2 exit 1 elif [ -g $app_path ]; then echo "ERROR: $1 is setgid. torsocks will not work on a setgid executable." >&2 exit 1 + elif [ -n "$caps" ]; then + echo "ERROR: $1 gains the following elevated capabilities. torsocks will \ +not work with privledged executables. +$caps" >&2 + exit 1 fi

exec "$@"