[or-cvs] r16450: {tor} Patch from Christopher Davis: open /dev/pf before dropping p (in tor/trunk: . src/or)

[nickm at seul.org]

Author: nickm
Date: 2008-08-06 12:32:17 -0400 (Wed, 06 Aug 2008)
New Revision: 16450

Modified:
   tor/trunk/
   tor/trunk/ChangeLog
   tor/trunk/src/or/config.c
   tor/trunk/src/or/connection_edge.c
   tor/trunk/src/or/or.h
Log:
 r17664 at tombo:  nickm | 2008-08-06 12:32:09 -0400
 Patch from Christopher Davis: open /dev/pf before dropping privileges.  Fixes bug 782.  Backport candidate.



Property changes on: tor/trunk
___________________________________________________________________
 svk:merge ticket from /tor/trunk [r17664] on 49666b30-7950-49c5-bedf-9dc8f3168102

Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2008-08-06 16:22:35 UTC (rev 16449)
+++ tor/trunk/ChangeLog	2008-08-06 16:32:17 UTC (rev 16450)
@@ -7,6 +7,10 @@
   o Minor bugfixes:
     - Recover 3-7 bytes that were wasted per memory chunk.  Fixes bug
       794; bug spotted by rovv.  Bugfix on 0.2.0.1-alpha.
+    - When using the TransPort option on OpenBSD, and using the User
+      option to change UID and drop privileges, make sure to open
+      /dev/pf before dropping privileges.  Fixes bug 782.  Patch from
+      Christopher Davis.  Bugfix on 0.1.2.1-alpha.
 
 
 Changes in version 0.2.1.4-alpha - 2008-08-04

Modified: tor/trunk/src/or/config.c
===================================================================
--- tor/trunk/src/or/config.c	2008-08-06 16:22:35 UTC (rev 16449)
+++ tor/trunk/src/or/config.c	2008-08-06 16:32:17 UTC (rev 16450)
@@ -1059,6 +1059,16 @@
     }
   }
 
+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
+  /* Open /dev/pf before dropping privileges. */
+  if (options->TransPort) {
+    if (get_pf_socket() < 0) {
+      *msg = tor_strdup("Unable to open /dev/pf for transparent proxy.");
+      goto rollback;
+    }
+  }
+#endif
+
   /* Setuid/setgid as appropriate */
   if (options->User || options->Group) {
     /* XXXX021 We should only do this the first time through, not on

Modified: tor/trunk/src/or/connection_edge.c
===================================================================
--- tor/trunk/src/or/connection_edge.c	2008-08-06 16:22:35 UTC (rev 16449)
+++ tor/trunk/src/or/connection_edge.c	2008-08-06 16:32:17 UTC (rev 16450)
@@ -1653,11 +1653,11 @@
 
 #ifdef TRANS_PF
 static int pf_socket = -1;
-static int
+int
 get_pf_socket(void)
 {
   int pf;
-  /*  Ideally, this should be opened before dropping privs. */
+  /*  This should be opened before dropping privs. */
   if (pf_socket >= 0)
     return pf_socket;
 

Modified: tor/trunk/src/or/or.h
===================================================================
--- tor/trunk/src/or/or.h	2008-08-06 16:22:35 UTC (rev 16449)
+++ tor/trunk/src/or/or.h	2008-08-06 16:32:17 UTC (rev 16450)
@@ -2937,6 +2937,10 @@
 } hostname_type_t;
 hostname_type_t parse_extended_hostname(char *address);
 
+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
+int get_pf_socket(void);
+#endif
+
 /********************************* connection_or.c ***************************/
 
 void connection_or_remove_from_identity_map(or_connection_t *conn);