Are DAC_OVERRIDE & CHOWN capabilities required for ControlSocket?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, tor will fail to startup with the current systemd service file [1] if your torrc makes use of the ControlSocket feature. To work around the issue one has to additionally allow the following capabilities: CAP_DAC_OVERRIDE CAP_CHOWN since the socket file is create as root and then changed to the tor user (chown). Is it possible to change this to not require CAP_DAC_OVERRIDE and CAP_CHOWN capabilities anymore? thanks, Nusenu [1] https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in#n 26 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVKmkiAAoJEFv7XvVCELh0Qk8QAITqZiFwp+nBIywWgLLQ5m6K CNkRa+HcNk3sCJKFWOzXqLP4Q1mIUrPWT6Mm+LbwLvo8uRnJqBNL5H0F+kDgYfyO wAsnRicwmoNfHa8hb292nj4p4eV/gQf9J94/creDl99jrtlgYBeLWY8toUZy452x QvAny7EC9Gt06/zMyNJxvVhb1SgthLsIfN6LXizH0Xe1y6m1Kh4XW/py5nvuMwmR sZg1QyUxQ8uJIs73J0KnuGZrzloJGN6IZmJ4EZ250gTUty3VtgvOTAu7W6KsGC2F dyHFqbJqHnEPLUn2ITxcmxBGduG7TWueh1+2KElVMQI9+j8IsD+9xGHUPtiywVEJ VpxaUlDqOu0tNovRPzkM01pg9KTqvydJ7BgAV0GgpoAH1rnYuEIh+kqieHvOLN96 uSuOjzTD87sHClWfIhuf645GCK+iy2Ln6f8yzxZn2DT870/yraX7eCaAK6gQt803 FMdBY2qtw3rFuGMW9ca/LTGlu04BrQb/boIEMhUMLdfAdBbJxYPuTbKbtBCbfcew NtB+5sxAuy2o8XcHsX/6gjDBi4rb7xp5QKy5xgsavE+uqyXAwCKNFF5yT7HNYX33 UMnSG1069frMXAGTYAPzQp+7dVLGs6h+xPx8aut/SoZqHjQOxQ6Qv5PtgltRvfv3 ZsOrqE5a0aly6OsspTUN =/5TL -----END PGP SIGNATURE-----
On Sun, 12 Apr 2015 12:46:26 +0000 Nusenu <nusenu@openmailbox.org> wrote:
tor will fail to startup with the current systemd service file [1] if your torrc makes use of the ControlSocket feature.
To work around the issue one has to additionally allow the following capabilities: CAP_DAC_OVERRIDE CAP_CHOWN since the socket file is create as root and then changed to the tor user (chown).
Is it possible to change this to not require CAP_DAC_OVERRIDE and CAP_CHOWN capabilities anymore?
I bet using the AF_UNIX SocksPort stuff will break as well, since the code is common. All of the listeners are launched before switching uid/gid and dropping privileges since it's common code. The way to fix this would be to change retry_listener_ports and retry_all_listeners code to additionally allow only launching service ports (< 1024), and staging the listener launch process on config (re)load to something that looks like: 1. Launch listeners that require elevated priviledges (CAP_NET_BIND_SERVICE). 2. Drop priviledges and switch the uid/gid. 3. Launch the rest of the listeners, including all of the AF_UNIX based ones (as the runtime tor user, so neither privilege is required). Patches accepted. -- Yawning Angel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Thanks for the reply, I added a trac entry: https://bugs.torproject.org/15659 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVKnKuAAoJEFv7XvVCELh0lLUP/0VeXYEeGOI9acQtvY0WoCP/ Qjq6i6h6bRFsmPqs3pa9qqUPKo6RChE0tM8ky+kV3b+DfuFR9oCFxokTG/C3g3Go pwkvfvh7JNP9HC/vHxLa3/a90gW1999UXz4aevqqz6GvBXKUphHWIP9T1hVSlBn3 FLMaA92PrpjaDGD8HSbgO6DQ8SAQjkaMRnrpP5fJscdpKvd3DI4uJQDmdDmcSCHP 90HffJeJcSogOhTLKE7V9oUgeIG/9glIV0fDH/pg/Z1ld5utZmNNngj8lzTJzwS6 8CtYtP8mZV+hz1IZId1aZngWBtuv78+LtuZlYG5s8OK8xr5Q2SXiyoHQSiVIYnea fF+Y7R0uSXZtzILQPXASQDo7TzfOq7tQP5Ro4ccFXNQWJ2mz+PpYUkWoswI8HJdY lc22t8OrIawknTWbmcPJeKuxjPvgeyH9tRQDiv+OrgAxAejNevHP8UgDadtuMin5 2mPtOCx72KrnEUa62IS3a9uOCGWCMadYXSPf6iWB7C9wXTSUaTDF5FBR0GZQt1fu d0vLsqzpgQG5UZp1ZY/Wo3rji5sOdJXWbghkjPIkixrx65zn10RnU/uplj9OVzUr Yhe6H60N5wNXkJS9VSFkUUfg5El5HSV0sVyedLk/e9ygQM54wg7EOBpn0lUNtjJ+ dZk6MNtRxNtT3epNomFC =rNyC -----END PGP SIGNATURE-----
participants (2)
-
Nusenu -
Yawning Angel