Ticket #17562: 0001-Create-DataDirectory-with-group-read-permissions.patch

File 0001-Create-DataDirectory-with-group-read-permissions.patch, 3.1 KB (added by jamielinux, 4 years ago)
  • new file changes/bug17562

    From c44797468745db63d7239edbd3b1f27135513661 Mon Sep 17 00:00:00 2001
    From: Jamie Nguyen <j@jamielinux.com>
    Date: Mon, 9 Nov 2015 09:27:48 +0000
    Subject: [PATCH] Create DataDirectory with group read permissions
    
    Directories created by Tor have 0700 and TorUser:TorUser permissions.
    Tor also checks the permissions again at runtime, reducing the
    permissions if they aren't 0700 and refusing to run if the directory
    UID and GID aren't both TorUser.
    
    These precautions protect the security of the Tor files. However, the
    DataDirectory (ie, /var/lib/tor) is unreadable by the root user. When
    Tor is started as root, it accesses the DataDirectory before dropping
    root permissions. Normally this wouldn't cause any problems, but there
    are two situations in which Tor is prevented from running:
    
    (1) If the systemd CapabilityBoundingSet option is set but CAP_READ_SEARCH
        isn't listed, root is denied access to the DataDirectory.
    
    (2) If SELinux is enabled but tor_t domain isn't allowed dac_read_search
        permissions, root is denied access to the DataDirectory.
    
    CAP_READ_SEARCH and dac_read_search should be avoided; a process with
    these permissions can read arbitrary files regardless of DAC
    permissions. The solution proposed in this patch is to default to
    creating the DataDirectory with 0750 permissions, while also allowing
    the group to be either TorUser or root (but nobody else).
    ---
     changes/bug17562  | 6 ++++++
     src/common/util.c | 2 +-
     src/or/config.c   | 3 ++-
     3 files changed, 9 insertions(+), 2 deletions(-)
     create mode 100644 changes/bug17562
    
    diff --git a/changes/bug17562 b/changes/bug17562
    new file mode 100644
    index 0000000..b6c9c1d
    - +  
     1  o Minor bug fixes:
     2    - Create DataDirectory with 0750 permissions by default and allow directory
     3      GID to be either the Tor User or root (but nobody else). The Tor service
     4      therefore no longer requires either CAP_READ_SEARCH in systemd's
     5      CapabilityBoundingSet, or dac_read_search in SELinux policy for tor_t
     6      domain.
  • src/common/util.c

    diff --git a/src/common/util.c b/src/common/util.c
    index b33c80f..c0178a3 100644
    a b check_private_dir(const char *dirname, cpd_check_t check, 
    21162116    return -1;
    21172117  }
    21182118  if ( (check & (CPD_GROUP_OK|CPD_GROUP_READ))
    2119        && (st.st_gid != running_gid) ) {
     2119       && (st.st_gid != running_gid) && (st.st_gid != 0)) {
    21202120    struct group *gr;
    21212121    char *process_groupname = NULL;
    21222122    gr = getgrgid(running_gid);
  • src/or/config.c

    diff --git a/src/or/config.c b/src/or/config.c
    index 22039b4..a0eaf23 100644
    a b options_act_reversible(const or_options_t *old_options, char **msg) 
    11881188
    11891189  /* Ensure data directory is private; create if possible. */
    11901190  if (check_private_dir(options->DataDirectory,
    1191                         running_tor ? CPD_CREATE : CPD_CHECK,
     1191                        running_tor ?
     1192                        CPD_CREATE|CPD_GROUP_READ : CPD_CHECK|CPD_GROUP_READ,
    11921193                        options->User)<0) {
    11931194    tor_asprintf(msg,
    11941195              "Couldn't access/create private data directory \"%s\"",