[tor-bugs] #8195 [Tor]: tor and capabilities
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Mar 11 20:12:55 UTC 2014
#8195: tor and capabilities
-----------------------------+--------------------------------
Reporter: weasel | Owner:
Type: enhancement | Status: needs_revision
Priority: normal | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version:
Resolution: | Keywords: tor-relay security
Actual Points: | Parent ID:
Points: |
-----------------------------+--------------------------------
Comment (by dgoulet):
Here is a "testing plan" to test capabilities in Tor.
As far as it's been investigated, Tor seems to need the NET_BIND_SERVICE
and CHOWN capabilities to work. Pluggable transport spawned could be an
issue here for missing capabilities but that would require individual
testing with each supported PT.
The needed test would require root privileges (UID = 0). The target here
is to test for each capabilities that we are interested in before setting
it and after to ensure that it has been applied correctly.
Furthermore, for setuid(), Tor needs briefly the SETUID/SETGID
capabilities thus this must be tested also with the current
implementation.
*) List capabilities
1) List default capabilities and keep aside the list.
2) Set capabilities PRE setuid()
3) Match capabilities by listing the three sets (Effective, Permitted
and Inheritable) and make sure we only have what's been set prior in the
PRE step vis-a-vis the default cap. list.
4) Set capabilities POST setuid()
5) Match capabilities by listing the three sets (Effective, Permitted
and Inheritable) and make sure we only have what's been set prior in the
POST step vis-a-vis the default cap. list.
*) Bind privileged port with a unprivileged user.
1) Use bind() and make sure we are *unable* to do it expecting an EPERM.
2) Set capabilities PRE setuid()
3) setuid() to unpriv. user.
4) Set capabilities POST setuid()
5) Bind to privilege port and expect SUCCESS.
*) Chown file
1) Create 2 temporary file (A and B) with root:root and 660
2) Try to chown the A file to user:root, expect SUCCESS
3) Set capabilities PRE setuid()
4) setuid() to unpriv. user.
5) Set capabilities POST setuid()
6) Chown the B file to user:root expect EPERM
7) Chown the A file to user:user expert SUCCESS
(This capability needs to be confirmed if really needed.)
*) Setuid
1) Set PRE setuid() capabilities
2) Setuid() to unpriv user, expect SUCCESS
3) Set POST setuid() capabilities
4) Setuid() to unpriv *other* user, expect EPERM
*) Inheritance of capabilities for PT
1) Set Tor capabilities
2) fork() + execve()
3) List capabilities in the new process and make sure they match the
expected once which should be NET BIND SERVICE and CHOWN for now.
4) Do bind + chown test inside the new process (see tests above).
*) Confirm that we don't have default capabilities enabled or some
privileged one.
1) Create a fifo file (CAP_MKNOD). That should be enable by default.
expect SUCCESS.
2) Create INET raw socket (CAP_NET_RAW), expect EPERM
3) Set Tor capabilities
4) Repeat fifo creation attempt, expect EPERM
5) Repeat raw socket, expect EPERM.
Quick draft for now on where I'm heading. Not sure yet how I can integrate
that in the Tor tests repostiory especially with root but at least there
is a basic plan now.
Nothing final here so please improve and add ideas! :)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8195#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list