[tor-bugs] #17562 [Tor]: DataDirectory permissions are too restrictive when using CapabilityBoundingSet or SELinux
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Nov 13 16:01:28 UTC 2015
#17562: DataDirectory permissions are too restrictive when using
CapabilityBoundingSet or SELinux
------------------------+------------------------------------
Reporter: jamielinux | Owner:
Type: defect | Status: needs_review
Priority: Medium | Milestone: Tor: 0.2.8.x-final
Component: Tor | Version: Tor: unspecified
Severity: Normal | Resolution:
Keywords: tor-core | Actual Points:
Parent ID: | Points:
Sponsor: |
------------------------+------------------------------------
Comment (by jamielinux):
I've also realised that CAP_CHOWN and CAP_FOWNER are required (or the
equivalent SELinux capabilities chown and fowner) if creating a
ControlSocket.
The parent directory for the socket (eg, /var/run/tor) must only be
writable by the default GID. However, Tor tries to create the Unix socket
before dropping root permissions and so the root user is trying to
chown/chmod files that it doesn't have access to.
What do you think about this third patch to fix this issue? It seems to
work, but I'll admit I don't know what the repercussions may be or whether
I've broken something else.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17562#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list