[tor-bugs] #27334 [Core Tor/Tor]: RelaxDirModeCheck on ControlSocket still requires group to m

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Aug 27 10:37:09 UTC 2018


#27334: RelaxDirModeCheck on ControlSocket still requires group to m
--------------------------+----------------------------------
 Reporter:  a_p           |          Owner:  (none)
     Type:  defect        |         Status:  reopened
 Priority:  Medium        |      Milestone:  Tor: unspecified
Component:  Core Tor/Tor  |        Version:
 Severity:  Normal        |     Resolution:
 Keywords:  easy, doc     |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+----------------------------------

Comment (by teor):

 Replying to [comment:2 a_p]:
 > Isn't that the point of RelaxDirModeCheck to give operators the freedom
 to allow a group to access the control socket files (of all instances)?

 No, the point of RelaxDirModeCheck is to allow more than one *user* to
 access the control socket files.

 Normally, tor makes sure that the group has no permissions to the
 directory containing the tor socket.
 RelaxDirModeCheck allows the directory to be readable and searchable by
 the group as well.

 > Allowing admins to have the folder group-readable but forcing a specific
 group makes it
 > hard to authorize a single group to access the sockets of all instances
 if every instance runs under a unique user/group.

 But you can add another user to the tor group.
 (If you give a single group access to all those directories, then all the
 tor users can access each others' directories. Also, some OSes require the
 user on a directory to be a member of the group on the directory.)

 Here's how RelaxDirModeCheck works:
 1. Create tor users U1, U2, ... with unique groups G1, G2, ...
 2. Create another user X that you want to have access to the control
 sockets
 3. Add X to G1, G2, ...

 We should update the man page to include these steps.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27334#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list