Opened 4 years ago

Closed 4 years ago

Last modified 3 years ago

#17388 closed defect (fixed)

tor refuses to create AF_LOCAL SOCKS sockets accessible by other users

Reported by: cypherpunks Owned by:
Priority: Low Milestone: Tor: 0.2.9.x-final
Component: Core Tor/Tor Version: Tor: 0.2.6.10
Severity: Normal Keywords:
Cc: michael@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

(Copied from https://bugs.debian.org/797341#)

I tried to use this option:

SocksPort unix:/var/run/tor-socks

(And also one in a directory owned by the Tor user with mode 0755.)

But Tor refuses to create the socket:

[warn] Before Tor can create a SOCKS socket in "/var/run/tor-socks",
the directory "/var/run" needs to exist, and to be accessible only
by the user and group account that is running Tor. (On some Unix
systems, anybody who can list a socket can connect to it, so Tor is
being careful.)

The point of the socket was to allow access by other users. I don't see
a reason to restrict Unix SOCKS ports this way, since the TCP ports are
already accessible by all. The Unix port could be more secure, because
Tor could get the uid of the client and enforce isolation between users.
This seems like a leftover ControlSocket restriction.

  • Michael

Child Tickets

Change History (6)

comment:1 Changed 4 years ago by nickm

Milestone: Tor: 0.2.8.x-final

comment:2 Changed 4 years ago by nickm

Priority: MediumLow

comment:3 Changed 4 years ago by nickm

Milestone: Tor: 0.2.8.x-finalTor: 0.2.9.x-final

Throw most 0.2.8 "NEW" tickets into 0.2.9. I expect that many of them will subsequently get triaged out.

comment:4 Changed 4 years ago by weasel

Sponsor: None

I think this is fixed with the WorldWritable socket option from 0.2.7.2.

comment:5 Changed 4 years ago by weasel

Resolution: fixed
Status: newclosed

comment:6 Changed 3 years ago by nickm

Sponsor: None

These tickets had Sponsor == "None". Our convention seems to be Sponsor == "".

Note: See TracTickets for help on using tickets.