Ticket #17562: 0001-Permit-filesystem-group-to-be-root.patch

File 0001-Permit-filesystem-group-to-be-root.patch, 1.4 KB (added by jamielinux, 4 years ago)
  • new file changes/bug17562-allow-root-group-read

    From 8b43cb98bf31a30c5d0ee5c580520797697078b2 Mon Sep 17 00:00:00 2001
    From: Jamie Nguyen <j@jamielinux.com>
    Date: Fri, 13 Nov 2015 14:17:02 +0000
    Subject: [PATCH 1/3] Permit filesystem group to be root
    
    ---
     changes/bug17562-allow-root-group-read | 6 ++++++
     src/common/util.c                      | 2 +-
     2 files changed, 7 insertions(+), 1 deletion(-)
     create mode 100644 changes/bug17562-allow-root-group-read
    
    diff --git a/changes/bug17562-allow-root-group-read b/changes/bug17562-allow-root-group-read
    new file mode 100644
    index 0000000..7a0903c
    - +  
     1  o Minor bug fixes:
     2    - If any directory created by Tor is marked as group readable, the
     3      filesystem group is allowed to be either the default GID or the root
     4      user. Allowing root to read the DataDirectory prevents the need for
     5      CAP_READ_SEARCH when using systemd's CapabilityBoundingSet, or
     6      dac_read_search when using SELinux.
  • src/common/util.c

    diff --git a/src/common/util.c b/src/common/util.c
    index b33c80f..c0178a3 100644
    a b check_private_dir(const char *dirname, cpd_check_t check, 
    21162116    return -1;
    21172117  }
    21182118  if ( (check & (CPD_GROUP_OK|CPD_GROUP_READ))
    2119        && (st.st_gid != running_gid) ) {
     2119       && (st.st_gid != running_gid) && (st.st_gid != 0)) {
    21202120    struct group *gr;
    21212121    char *process_groupname = NULL;
    21222122    gr = getgrgid(running_gid);