[tor-dev] Are DAC_OVERRIDE & CHOWN capabilities required for ControlSocket?

Sun Apr 12 13:10:33 UTC 2015

On Sun, 12 Apr 2015 12:46:26 +0000
Nusenu <nusenu at openmailbox.org> wrote:
> tor will fail to startup with the current systemd service file [1]
> if your torrc makes use of the ControlSocket feature.
> 
> To work around the issue one has to additionally allow the following
> capabilities:
> CAP_DAC_OVERRIDE
> CAP_CHOWN
> since the socket file is create as root and then changed to the tor
> user (chown).
> 
> Is it possible to change this to not require
> CAP_DAC_OVERRIDE and CAP_CHOWN capabilities anymore?

I bet using the AF_UNIX SocksPort stuff will break as well, since the
code is common.  All of the listeners are launched before switching
uid/gid and dropping privileges since it's common code.

The way to fix this would be to change retry_listener_ports and
retry_all_listeners code to additionally allow only launching service
ports (< 1024), and staging the listener launch process on config
(re)load to something that looks like:

 1. Launch listeners that require elevated priviledges
    (CAP_NET_BIND_SERVICE).
 2. Drop priviledges and switch the uid/gid.
 3. Launch the rest of the listeners, including all of the AF_UNIX
    based ones (as the runtime tor user, so neither privilege is
    required).

Patches accepted.

-- 
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20150412/ee83005e/attachment.sig>