OpenBSD: tor rc script: don't kill unrelated tor instances (patch)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Pascal, what do you think of changing OpenBSD's tor rc script to require perfect process matches when sending signals to them instead of the current "kill everything that starts with..." approach? I've put tor-relays on CC so people can speak up if this change is not desired or breaks anyone's environment - I believe it fixes them. Problem: /etc/rc.d/tor stop might kill all (including unrelated) tor instances instead of the intended daemon only. /etc/rc.d/tor start might never start the intended daemon if another tor instance is already running (rc_check believes tor is already running). /etc/rc.d/tor restart might kill all tor instances and starts only one. references: http://article.gmane.org/gmane.os.openbsd.misc/222896 One line "patch" for /etc/rc.d/tor to address this issue: (tested with and without custom daemon_flags) 8a9,10
pexp="${daemon}${daemon_flags:+ ${daemon_flags}}$"
(this line is a complete copy from rc.subr with the addition of one char: $ ) thanks, nusenu https://github.com/nusenu/ansible-relayor/issues/40 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJViSx3AAoJEFv7XvVCELh0y8UQAJgb6JVbKde/xf79YJJr8LW1 t+Rji8A5zZ9VsjcW4Pguf/OZsQEN3MEIkjzTM3kw0q9S8CPnDbF3IYOaZj4ewYkX 8OoNmHfFbcQCC0YCJBlbUJMBtNJqi8pg7qRY4o+qY9KKa9ekUhPer7kzUt4N1A+T an4z44lh3ytAcehyFxo6hpDGZHHGGsACEIql9Rav6v+DPCBSJnCZsmlT0OeTeV5k 5WEy9nTVzdkX4mKs1xXv8YJFggCrb1uur3q91/5ZGhpKADfRj6T+1i/9622Bcki9 17ADc4ZI73dP3ZelKvpZ+FXhaiZLn6tugdj2dcqnXU8Zras6jKToupFi2nB8xfTV f70qSdkMP6WOJReCP+KTAGHiCkapyoc9V+8569iZIjUXuD7GbbSpP6I1rOoqSLYH rao6WpqHVfSMQ5jCaECHBbZY62qBhHH83B/um3nG+WXvvWDPpzjkbEx56RxH3UUo yZ4naGenbxQzCXsGXhEOAmUkJjSmW+Hw75EyObBLAp00+Q8zAXkHnFOqRGbRuxdl IKqAYsfGNLr7kPBvz9pxfnOJMfyIBDQ2P2WNyKXvYLME3wKbYMazVxd7cXzmAV5g QthMuFJ/JhWYI9Lb1U+IQq7LOX+pEWU6u/L2xqjTDj7VMn4UF1WZ6UHhnaLMAotZ lfiTKPnopA62t+X05ztR =ysgm -----END PGP SIGNATURE-----
nusenu <nusenu@openmailbox.org> wrote:
what do you think of changing OpenBSD's tor rc script to require perfect process matches when sending signals to them instead of the current "kill everything that starts with..." approach?
I've put tor-relays on CC so people can speak up if this change is not desired or breaks anyone's environment - I believe it fixes them.
While I don't use the OpenBSD port, I think using the --PidFile option would be more reliable. It's already used by the FreeBSD port and works as expected.
One line "patch" for /etc/rc.d/tor to address this issue: (tested with and without custom daemon_flags)
8a9,10
pexp="${daemon}${daemon_flags:+ ${daemon_flags}}$"
Did you test with custom flags like "--+Log ${tor_loglevel} file ${tor_logfile}"? I suspect that the "+" and similar characters will make problems. Fabian
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
what do you think of changing OpenBSD's tor rc script to require perfect process matches when sending signals to them instead of the current "kill everything that starts with..." approach?
I've put tor-relays on CC so people can speak up if this change is not desired or breaks anyone's environment - I believe it fixes them.
While I don't use the OpenBSD port, I think using the --PidFile option would be more reliable. It's already used by the FreeBSD port and works as expected.
I'm certainly not aiming to change rc.subr's design ;) (and finding the pidfile in a generic way is also probably non trivial)
One line "patch" for /etc/rc.d/tor to address this issue: (tested with and without custom daemon_flags)
8a9,10
pexp="${daemon}${daemon_flags:+ ${daemon_flags}}$"
Did you test with custom flags like "--+Log ${tor_loglevel} file ${tor_logfile}"?
This should read "--Log" no? - From tor's man page:
Other options can be specified on the command-line in the format "--option value", in the format "option value", or in a configuration file.
-----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJViTeWAAoJEFv7XvVCELh0ExEP/22liNw0Y5S2k2jhjIIfB3RT J9hhfY41DZroRX+ayHQ6c5STCtivmC/+InQS9iiCc829GA7/ZVjHeZuVn6Y2lGEr egFUntwzqGnDuxpeUAd32bvjwsZSQFon99yZCcOHVeiEgI8I5N3u/7zNKw9HxI8J JpRps3AVCz782ttX5NES2KVYJEsCSbYaaCogG/KDK4wqQw3G+N3ubiwP/bcZlJAn 3Oy4cpRW8LTMktlKaV/2kd+rRqb8BjxXlfBUPP5DfSFk+RL8sEN8WFPgNADjkxxR vvqtSu+34XCOPFW1OT8f/GADCveBueuY2/VmXjc0SWcExU1ALVKlAPjfLV1PVIBI 4uK4WaDld/YZVPtYQGrs4Cg+yAsS6VQW6oLgWf/MEFQe2c0Ou6eHSk1QAyrx7z1u YK/ULPPVNo7HBbwhmgLYNDyIUFhQpKQtBa4cL9LxwJ1kBDBJzpSXxhCEFDolfjvO avXLjdno8A5F0zjFOj0XxSoHCDIIcOrR3KCb2zWxsK7NGwkcuZNYV89+0+TnqhPd /8J3Z2ii6d0dTMeqtWkBeZTkq01OfuucNoXSVKycrawgGKhagBq0V1rTGENMBYVB JQWqYbYlHq7Juke3MU+O5vHRm34Lv4UPJX2Aw0mltCI3yTIHWH69taZvaAwD86JK q6wXv7RmOTLqtAN795va =6Igm -----END PGP SIGNATURE-----
nusenu <nusenu@openmailbox.org> wrote:
One line "patch" for /etc/rc.d/tor to address this issue: (tested with and without custom daemon_flags)
8a9,10
pexp="${daemon}${daemon_flags:+ ${daemon_flags}}$"
Did you test with custom flags like "--+Log ${tor_loglevel} file ${tor_logfile}"?
This should read "--Log" no?
While I prefer using neither "--Log" nor "--+Log", the latter is valid syntax and used in the real world: https://svnweb.freebsd.org/ports/head/security/tor-devel/files/tor.in?view=m... For details see: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=167482 In the ElectroBSD version of the port I recently went with the mentioned "specify all log files in the torrc" strategy ...
- From tor's man page:
Other options can be specified on the command-line in the format "--option value", in the format "option value", or in a configuration file.
Looks like the man page is incomplete. Fabian
On Tue, Jun 23, 2015 at 01:09:07PM +0200, Fabian Keil wrote:
In the ElectroBSD version of the port I recently went with the mentioned "specify all log files in the torrc" strategy ...
You might also enjoy the --defaults-torrc option, which you can use for giving Tor new defaults while still letting the user have her own torrc file. (Debian used to patch src/or/config.c before building, but now they don't have to because of the defaults-torrc file. Tor Browser now uses it too.) --Roger
The underlying problem has been fixed in rc.subr and no longer requires rc script customization to get a sane behavior by default. http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/etc/rc.d/rc.subr?rev=1.99&conte...
participants (3)
-
Fabian Keil -
nusenu -
Roger Dingledine