Opened 8 months ago
Last modified 4 months ago
#22331 new defect
Tor needs to stop trying to read directories before it changes users
| Reported by: | arma | Owned by: | |
|---|---|---|---|
| Priority: | Medium | Milestone: | Tor: unspecified |
| Component: | Core Tor/Tor | Version: | Tor: 0.3.0.7 |
| Severity: | Normal | Keywords: | 032-unreached |
| Cc: | intrigeri, dgoulet | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
If you use apparmor along with the Tor deb, like pretty much all Ubuntu users, and you want to configure a hidden service, you are in for some misery. For example, let's say your put your hidserv directory in /var/lib/tor/, which would make sense because then Tor will create the directory when it starts, take care of its permissions, etc.
The trouble is that the apparmor rules only let the debian-tor user read stuff in /var/lib/tor. They prevent root from trying to read stuff there (because why should it). But when Tor starts, especially Tor 0.3.0.x, it tries to check all the hidden service directories, as root, before it drops privileges. When apparmor refuses the directory read attempts, Tor flips out and says the config is bad:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862993
We should audit all of these cases where we try to interact with files and directories before we've dropped privileges, and get rid of the ones we don't need.
(This one is a little bit tricky, because the way we've set up options_validate() vs options_act(), we'd like to be able to detect if a configuration change is going to fail *before* we commit to it. But I think cleaning up our behavior here is worth having things fail later because of directory problems if they're going to. After all, this way people will be able to use tight and simple apparmor profiles to enforce good behavior inside Tor.)
Child Tickets
Change History (6)
comment:1 Changed 8 months ago by
| Cc: | intrigeri added |
|---|
comment:2 Changed 8 months ago by
comment:3 Changed 8 months ago by
| Cc: | dgoulet added |
|---|
intrigeri points also to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=847598 (so I cc dgoulet)
comment:4 Changed 6 months ago by
Btw we have approximately one Ubuntu user per day on irc who runs into this bug and fails to be able to use onion services on Ubuntu, even using our deb.
It is a real usability issue.
comment:6 Changed 4 months ago by
| Keywords: | 032-unreached added |
|---|---|
| Milestone: | Tor: 0.3.2.x-final → Tor: unspecified |
Mark a large number of tickets that I do not think we will do for 0.3.2.
(weasel points out, I think correctly, that putting your hidserv directory in /var/lib/tor/ is the only reasonable choice, because all the other options are worse.)