[tor-commits] [torsocks/master] Detect capabilities in torsocks wrapper
dgoulet at torproject.org
dgoulet at torproject.org
Mon Jun 13 21:14:03 UTC 2016
commit d03ab856ed770a8a7f925648f3ebd23f3e7e46c8
Author: Shawn Landden <shawn at churchofgit.com>
Date: Wed Dec 2 02:24:29 2015 -0800
Detect capabilities in torsocks wrapper
In addition to trying to detect them in the torsocks library, we also check
for capabilities in the torsocks wrapper.
Signed-off-by: Shawn Landden <shawn at churchofgit.com>
Signed-off-by: David Goulet <dgoulet at ev0ke.net>
---
src/bin/torsocks.in | 23 +++++++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/src/bin/torsocks.in b/src/bin/torsocks.in
index 2a459b3..5102fdc 100644
--- a/src/bin/torsocks.in
+++ b/src/bin/torsocks.in
@@ -96,21 +96,36 @@ tor_shell ()
torify_app ()
{
local app_path=`which $1`
-
- # NEVER remove that line or else nothing it torified.
- set_ld_preload
+ local getcap=`PATH="$PATH:/usr/sbin:/sbin" which getcap`
+ local caps=
if [ -z $1 ]; then
echo "Please provide an application to torify." >&2
elif [ -z $app_path ]; then
echo "ERROR: $1 cannot be found." >&2
exit 1
- elif [ -u $app_path ]; then
+ fi
+
+ # This must be before torifying because getcap uses cap_get_file(3)
+ # via syscall(2) which breaks torsocks.
+ if [ -n $getcap ]; then
+ caps=`$getcap $app_path`
+ fi
+
+ # NEVER remove that line or else nothing it torified.
+ set_ld_preload
+
+ if [ -u $app_path ]; then
echo "ERROR: $1 is setuid. torsocks will not work on a setuid executable." >&2
exit 1
elif [ -g $app_path ]; then
echo "ERROR: $1 is setgid. torsocks will not work on a setgid executable." >&2
exit 1
+ elif [ -n "$caps" ]; then
+ echo "ERROR: $1 gains the following elevated capabilities. torsocks will \
+not work with privledged executables.
+$caps" >&2
+ exit 1
fi
exec "$@"
More information about the tor-commits
mailing list