Patch to authenticate by uid/gid on ControlSocket

Michael Gold torlists at
Sun Mar 1 18:56:02 UTC 2009

On Sun, Mar 01, 2009 at 10:47:03 -0700, John Brooks wrote:
> Great idea! This should simplify things quite a lot when using control
> connections.
> I'm surprised fchmod doesn't work, but I don't think using chmod() would be
> a problem here. Another user very likely wouldn't have the permissions to
> replace the socket file, and if they did, the chmod() call would then fail
> as the tor user would not own the new file. If they were already running as
> the tor user, they could do all sorts of other things and make it really a
> moot point anyway. I don't see a way that another user could bother tor
> using that race condition.

The problem of fchmod not working is Linux-specific and seems to be
brought up on LKML every few years, though there's never a response and
nobody's sent a patch.

The race condition could be exploited by hardlinking a file owned by the
Tor user, which would then become world-writable.  But this would only
work if the attacker had write permission to the directory and the
sticky bit was clear.

-- Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <>

More information about the tor-dev mailing list