Opened 13 months ago

Last modified 9 months ago

#26910 new enhancement

Could tor drop privileges even earlier? (before trying to access anything on the filesystem beyond its torrc files)

Reported by: nusenu Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: 040-roadmap-proposed
Cc: weasel, dmr, intrigeri Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Fedora/CentOS starts the tor service as root and drops
privileges to user 'toranon' due to the torrc 'User' parameter by default.

Also by default the tor service runs in a SELinux confined domain (tor_t). That means
root in that domain can NOT access just any files regardless
of DAC filesystem permissions (DAC_OVERRIDE is not granted by default).

Which results in the situation that during startup (before privileges
are dropped and user is switched to 'toranon') tor can not access
the hiddenservicedir without allowing DAC_OVERRIDE or changing filesystem permissions,
but it could if at that point privileges were already switched to the user specified in the torrc file.

From my point of view the nicest solution would be if tor drops
privileges before it accesses anything on the filesystem -
which would solve above problem. Would that introduce other problems?

Is there a specific reason why tor drops privileges later?

(this is about running tor and tor in --verify-config mode)

context:
https://bugzilla.redhat.com/show_bug.cgi?id=1602171
(I consider this problem solved via the workaround but
I'm still interested in the above question)

Child Tickets

Change History (10)

comment:1 Changed 13 months ago by nickm

I'm not sure I understand: How would Tor know which user to switch to (or which other privileges to drop) if it has not first read the torrc file? And would reading the torrc file not count as using the filesystem?

comment:2 in reply to:  1 Changed 13 months ago by nusenu

Replying to nickm:

I'm not sure I understand: How would Tor know which user to switch to (or which other privileges to drop) if it has not first read the torrc file?

sorry if I was not clear about that: I was suggesting to drop privileges after reading the torrc file

And would reading the torrc file not count as using the filesystem?

reading the torrc file as the user that is used to start tor (root in this case) is fine (since the torrc file is readable to root)

Last edited 13 months ago by nusenu (previous) (diff)

comment:3 Changed 13 months ago by weasel

Cc: weasel added

Yes, please.

The Debian service file still needs to give tor the CAP_DAC_READ_SEARCH capability (which lets uid 0 override DAC file permissions for read/search purposes) or else it falls flat on its face with hidden services (cf. Debian#847598). We'd appreciate if Tor did not need this elevated capability.

comment:4 Changed 13 months ago by nickm

Keywords: 035-proposed added

comment:5 Changed 13 months ago by nickm

Keywords: 035-roadmap-proposed added; 035-proposed removed

comment:6 Changed 12 months ago by dmr

Cc: dmr added

comment:7 Changed 10 months ago by teor

Keywords: 036-roadmap-proposed added; 035-roadmap-proposed removed

Move likely enhancements from 035-roadmap-proposed to 036-roadmap-proposed

comment:8 Changed 9 months ago by arma

#22331 is a very related ticket.

comment:9 Changed 9 months ago by intrigeri

Cc: intrigeri added

comment:10 Changed 9 months ago by teor

Keywords: 040-roadmap-proposed added; 036-roadmap-proposed removed

0.3.6 is now 0.4.0: changing roadmap keywords

Note: See TracTickets for help on using tickets.