[tor-commits] [tor/master] Permit filesystem group to be root
nickm at torproject.org
nickm at torproject.org
Fri Dec 11 01:04:10 UTC 2015
commit 08c7ceb5dff3db5ba28de8370bae23f4bf6ec444
Author: Jamie Nguyen <j at jamielinux.com>
Date: Fri Nov 13 14:17:02 2015 +0000
Permit filesystem group to be root
---
changes/bug17562-allow-root-group-read | 6 ++++++
src/common/util.c | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/changes/bug17562-allow-root-group-read b/changes/bug17562-allow-root-group-read
new file mode 100644
index 0000000..7a0903c
--- /dev/null
+++ b/changes/bug17562-allow-root-group-read
@@ -0,0 +1,6 @@
+ o Minor bug fixes:
+ - If any directory created by Tor is marked as group readable, the
+ filesystem group is allowed to be either the default GID or the root
+ user. Allowing root to read the DataDirectory prevents the need for
+ CAP_READ_SEARCH when using systemd's CapabilityBoundingSet, or
+ dac_read_search when using SELinux.
diff --git a/src/common/util.c b/src/common/util.c
index ce3646c..6d522de 100644
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -2143,7 +2143,7 @@ check_private_dir(const char *dirname, cpd_check_t check,
return -1;
}
if ( (check & (CPD_GROUP_OK|CPD_GROUP_READ))
- && (st.st_gid != running_gid) ) {
+ && (st.st_gid != running_gid) && (st.st_gid != 0)) {
struct group *gr;
char *process_groupname = NULL;
gr = getgrgid(running_gid);
More information about the tor-commits
mailing list