[tor-bugs] #32756 [Core Tor/Tor]: SocksPolicy has no way to refer to AF_UNIX sockets
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Dec 14 23:41:32 UTC 2019
#32756: SocksPolicy has no way to refer to AF_UNIX sockets
------------------------------+--------------------
Reporter: arma | Owner: (none)
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+--------------------
Imagine you set your torrc to say
{{{
SOCKSPort 0.0.0.0:9050 PreferSOCKSNoAuth IsolateSOCKSAuth
KeepAliveIsolateSOCKSAuth IsolateClientAddr IPv6Traffic CacheDNS
CacheIPv4DNS UseIPv4Cache UseDNSCache
+SOCKSPort unix:/run/tor/socks GroupWritable WorldWritable
RelaxDirModeCheck CacheDNS CacheIPv4DNS UseIPv4Cache UseDNSCache
SOCKSPolicy accept 10.0.0.0/8
SOCKSPolicy accept 127.0.0.0/8
SOCKSPolicy accept 169.254.0.0/16
SOCKSPolicy accept 172.0.0.0/8
SOCKSPolicy accept 192.168.0.0/8
SOCKSPolicy accept 192.168.192.0/24
SOCKSPolicy reject *
}}}
and then you try to make a connection to your local socks socket. You'll
get
{{{
[notice] {APP} Denying socks connection from untrusted address AF_UNIX.
}}}
I think that happens because of the final "reject *" item in the
sockspolicy.
How should this person write "and I want to allow connections to the socks
socket too" in their sockspolicy?
A workaround in the meantime was to write "SocksPolicy reject *4" at the
end rather than *. But it seems like being able to explicitly refer to
AF_UNIX would be a good feature to have. Maybe "SocksPolicy accept unix"
is the right syntax?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32756>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list