Opened 4 years ago

Closed 4 years ago

#12064 closed defect (fixed)

Tor should be able to read all files it creates when Sandbox enabled.

Reported by: alphawolf Owned by: nickm
Priority: Medium Milestone: Tor: 0.2.5.x-final
Component: Core Tor/Tor Version: Tor: 0.2.5.4-alpha
Severity: Keywords: sandbox
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by alphawolf)

After #12035 and #12041, I realized that there are probably a lot of files that tor creates that are not specifically allowed in the sandbox. I've not tested all of these to make sure there is actually a bug, but these are the files listed in the torrc documentation that I don't see mentioned in sandbox_cfg_allow_open_filename_array() or elsewhere in src/or/main.c.

Part 1 (Stuff I have a patch for):

DataDirectory/status/entry-stats
DataDirectory/status/exit-stats
DataDirectory/status/buffer-stats
DataDirectory/status/conn-stats

Part 2 (Marked obsolete in docs... patch not necessary?):

DataDirectory/cached-routers and cached-routers.new
DataDirectory/bw_accounting

Part 3 (Stuff I'm unsure of):

DataDirectory/control_auth_cookie
DataDirectory/approved-routers

Part 4 (Hidden Directory Files - tested, broken because unable to read private_key):

HiddenServiceDirectory/hostname
HiddenServiceDirectory/private_key
HiddenServiceDirectory/client_keys

A patch for part 1 is inbound (based off the fixes for the previous bugs). Someone else will need to write any patches for parts 2 - 4.

Child Tickets

Attachments (1)

bug12064_part1.patch (1.7 KB) - added by alphawolf 4 years ago.
Patch on master. Only tested that it compiles and runs.

Download all attachments as: .zip

Change History (12)

Changed 4 years ago by alphawolf

Attachment: bug12064_part1.patch added

Patch on master. Only tested that it compiles and runs.

comment:1 Changed 4 years ago by alphawolf

Description: modified (diff)

comment:2 in reply to:  description ; Changed 4 years ago by nickm

Replying to alphawolf:

After #12035 and #12041, I realized that there are probably a lot of files that tor creates that are not specifically allowed in the sandbox. I've not tested all of these to make sure there is actually a bug, but these are the files listed in the torrc documentation that I don't see mentioned in sandbox_cfg_allow_open_filename_array() or elsewhere in src/or/main.c.

Part 1 (Stuff I have a patch for):

DataDirectory/status/entry-stats
DataDirectory/status/exit-stats
DataDirectory/status/buffer-stats
DataDirectory/status/conn-stats

You mean "stats", not "status"?

Part 2 (Marked obsolete in docs... patch not necessary?):

DataDirectory/cached-routers and cached-routers.new
DataDirectory/bw_accounting

Correct; these are not used any longer.

Part 3 (Stuff I'm unsure of):

DataDirectory/control_auth_cookie
DataDirectory/approved-routers

control_auth_cookie can be overridden with CookieAuthFile. See (and maybe use?) get_cookie_file() in control.c. If that function is going to become non-static however, it probably needs a better name.

Also see get_ext_or_auth_cookie_file_name().

The approved-routers file should be readable too.

Part 4 (Hidden Directory Files - tested, broken because unable to read private_key):

HiddenServiceDirectory/hostname
HiddenServiceDirectory/private_key
HiddenServiceDirectory/client_keys

A patch for part 1 is inbound (based off the fixes for the previous bugs). Someone else will need to write any patches for parts 2 - 4.

comment:3 Changed 4 years ago by nickm

Owner: set to nickm
Status: newassigned

comment:4 in reply to:  2 Changed 4 years ago by alphawolf

Replying to nickm:

You mean "stats", not "status"?

All names are exactly as they appear in the manual I linked from www.tpo. I assumed "status" had a special meaning ("DataDirectory" and "HiddenServiceDirectory" are not actual directory names either). The patch I uploaded uses "stats", since that is what was used for the bridge-stats and dirreq-stats documents.

comment:5 Changed 4 years ago by alphawolf

RE: part 1, I've confirmed that 3 of the 4 files can trigger warnings:

May 21 22:01:06.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/stats/entry-stats
May 21 22:01:06.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/stats/exit-stats
May 21 22:01:06.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/stats/conn-stats

Relevant torrc settings:

EntryStatistics 1
ExitPortStatistics 1
ConnDirectionStatistics 1

I don't know how to enable buffer-stats in order to test that. The bug12064_part1 patch does fix these three warnings.

comment:6 Changed 4 years ago by nickm

Resolution: fixed
Status: assignedclosed

Should be fixed in cfd0ee514c279bc6c7b7c299e001693a5aeb1f5f, 85f49abfbe50d29e4314ed0a3b436f3b14162d00, ffc1fde01fb4fc752aa54de0282cf027bdb738cf

comment:7 Changed 4 years ago by nickm

(also merged your patch as 387f294d40c9b5c0bb9d6f29b85b7da1a185bc8c)

comment:8 Changed 4 years ago by alphawolf

Resolution: fixed
Status: closedreopened

I'm getting a stack trace on the hidden services. I thought it was because of the trailing '/' on HiddenServiceDir, but it seems to happen even when I get rid of that. The only difference is that the '/' is not doubled up in the bug message as it is below. Note, this only happens after HUP.

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80
May 22 22:01:24.000 [notice] Received reload signal (hup). Reloading config and resetting internal state.
May 22 22:01:24.000 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
May 22 22:01:24.000 [notice] Read configuration file "/etc/tor/torrc".
May 22 22:01:24.000 [notice] Tor 0.2.5.4-alpha-dev (git-cfd0ee514c279bc6) opening log file.
May 22 22:01:24.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/hidden_service/
May 22 22:01:24.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/hidden_service//hostname.tmp

============================================================ T= 1400810484
(Sandbox) Caught a bad syscall attempt (syscall open)
/usr/bin/tor(+0x1239aa)[0x7f0e05c959aa]
/lib/x86_64-linux-gnu/libpthread.so.0(open64+0x10)[0x7f0e04778180]
/lib/x86_64-linux-gnu/libpthread.so.0(open64+0x10)[0x7f0e04778180]
/usr/bin/tor(tor_open_cloexec+0x40)[0x7f0e05c82360]
/usr/bin/tor(start_writing_to_file+0xfb)[0x7f0e05c90f7b]
/usr/bin/tor(+0x11f0db)[0x7f0e05c910db]
/usr/bin/tor(+0x11f228)[0x7f0e05c91228]
/usr/bin/tor(+0x5a218)[0x7f0e05bcc218]
/usr/bin/tor(rend_service_load_all_keys+0x81)[0x7f0e05bce231]
/usr/bin/tor(set_options+0xb9a)[0x7f0e05c2e4ba]
/usr/bin/tor(options_init_from_string+0x2d9)[0x7f0e05c2fcf9]
/usr/bin/tor(options_init_from_torrc+0x1a7)[0x7f0e05c2fff7]
/usr/bin/tor(process_signal+0x46c)[0x7f0e05ba93ac]
/usr/lib/x86_64-linux-gnu/libevent-2.0.so.5(event_base_loop+0x9a5)[0x7f0e051fe715]
/usr/bin/tor(do_main_loop+0x195)[0x7f0e05ba8285]
/usr/bin/tor(tor_main+0xd75)[0x7f0e05baa6e5]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f0e041dcb45]
/usr/bin/tor(+0x32adb)[0x7f0e05ba4adb]

comment:9 Changed 4 years ago by nickm

Resolution: fixed
Status: reopenedclosed

Thanks; should be better in 824bebd40954d2f766a7b37e6b4d206f9b682ed9

comment:10 Changed 4 years ago by alphawolf

Resolution: fixed
Status: closedreopened

Oops! Looks like we missed something.

Jun 10 05:35:47.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/stats

comment:11 Changed 4 years ago by nickm

Resolution: fixed
Status: reopenedclosed

Fixed with bbb1ffe5357e408aa63b16b8691ca938cd62216c ; thanks!

Note: See TracTickets for help on using tickets.