Bug 1279222
Summary: | Tor can't access /var/lib/tor/hidden_service/ even with setenforce 0 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Yury Bulka <setthemfree> |
Component: | tor | Assignee: | Nobody's working on this, feel free to take it <nobody> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 22 | CC: | gregoire, lmacken, pwouters, s |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-24 20:38:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Yury Bulka
2015-11-08 17:40:34 UTC
Thanks for reporting! I'm able to replicate. Though in my tests, removing CapabilityBoundingSet is not enough by itself. SELinux also prevents Tor from running. The problem is due to the restrictive permissions on /var/lib/tor. I notice that Debian fixed this issue on Stretch/Sid by giving Tor CAP_DAC_OVERRIDE, CAP_CHOWN and CAP_FOWNER. These dangerous capabilities are effectively equal to root, and kind of defeats the point of using CapabilityBoundingSet in the first place. My alternative solution is to relax the permissions on /var/lib/tor, allowing group read and not complaining if permission is toranon:root instead of toranon:toranon. See the patch below for more explanation. Builds will enter updates-testing shortly. In the meantime, Koji builds available here. f23 https://kojipkgs.fedoraproject.org//packages/tor/0.2.6.10/5.fc23/x86_64/tor-0.2.6.10-5.fc23.x86_64.rpm f22 https://kojipkgs.fedoraproject.org//packages/tor/0.2.6.10/5.fc22/x86_64/tor-0.2.6.10-5.fc22.x86_64.rpm el7 https://kojipkgs.fedoraproject.org//packages/tor/0.2.6.10/5.el7/x86_64/tor-0.2.6.10-5.el7.x86_64.rpm From ec35ad51e585023b718c2b257721bdf2d2f25f3e Mon Sep 17 00:00:00 2001 From: Jamie Nguyen <j> Date: Mon, 9 Nov 2015 07:38:19 +0000 Subject: [PATCH] Create DataDirectory with group read permissions Directories created by Tor have 0700 and toranon:toranon permissions. Tor also checks the permissions again at runtime, reducing the permissions if they aren't 0700 and refusing to run if the owner or group aren't both toranon. These precautions protect the security of the Tor files. However, these permissions make the Tor DataDirectory (ie, /var/lib/tor) unreadable by the root user. When Tor is started as root, it accesses the DataDirectory before dropping root permissions. Normally this wouldn't cause any problems, but there are two situations in which Tor is prevented from running: (1) If the systemd CapabilityBoundingSet option is set but CAP_READ_SEARCH isn't listed, root is denied access to the Tor DataDirectory. (2) If SELinux is enabled but tor_t domain isn't allowed dac_read_search permissions, root is denied access to the Tor DataDirectory. CAP_READ_SEARCH and dac_read_search should be avoided; a process with these permissions can read arbitrary files regardless of DAC permissions. The solution proposed in this patch is to default to creating the DataDirectory with 0750 permissions, while also allowing the group to be either toranon or root. --- src/common/util.c | 2 +- src/or/config.c | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/common/util.c b/src/common/util.c index 442d57a..793fbb4 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -2196,7 +2196,7 @@ check_private_dir(const char *dirname, cpd_check_t check, return -1; } if ( (check & (CPD_GROUP_OK|CPD_GROUP_READ)) - && (st.st_gid != running_gid) ) { + && (st.st_gid != running_gid) && (st.st_gid != 0)) { struct group *gr; char *process_groupname = NULL; gr = getgrgid(running_gid); diff --git a/src/or/config.c b/src/or/config.c index fca350c..5cefc7c 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -1152,7 +1152,8 @@ options_act_reversible(const or_options_t *old_options, char **msg) /* Ensure data directory is private; create if possible. */ if (check_private_dir(options->DataDirectory, - running_tor ? CPD_CREATE : CPD_CHECK, + running_tor ? + CPD_CREATE|CPD_GROUP_READ : CPD_CHECK|CPD_GROUP_READ, options->User)<0) { tor_asprintf(msg, "Couldn't access/create private data directory \"%s\"", -- 2.5.0 tor-0.2.6.10-5.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-3b10fe315d tor-0.2.6.10-5.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2015-488e7e1ea3 tor-0.2.6.10-5.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-c8974b11be Now also reported upstream: https://trac.torproject.org/projects/tor/ticket/17562 tor-0.2.6.10-5.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'yum --enablerepo=epel-testing update tor' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2015-c8974b11be tor-0.2.6.10-5.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update tor' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-488e7e1ea3 tor-0.2.6.10-5.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update tor' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-3b10fe315d Wow, thanks for such a prompt response and fix! Installed from updates-testing, confirmed it works. *** Bug 1250893 has been marked as a duplicate of this bug. *** |