Opened 13 months ago

Last modified 13 months ago

#27334 reopened defect

RelaxDirModeCheck on ControlSocket still requires group to m

Reported by: a_p Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: easy, doc
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Even with RelaxDirModeCheck flag on the ControlSocket tor requires
the folder (containing the socket file) group to match the group of the user running tor.

Could you lift this requirement when the RelaxDirModeCheck flag is given or is there an important reason for that?

os: FreeBSD 11.2

conf:

ControlSocket /var/run/tor-instances/123/controlsocket GroupWritable RelaxDirModeCheck

log:

Before Tor can create a control socket in "/var/run/tor-instances/123/controlsocket", the directory "/var/run/tor-instances/123" needs to exist, and to be accessible only by the user and group account that is running Tor.  (On some Unix systems, anybody who can list a socket can connect to it, so Tor is being careful.)

Child Tickets

Change History (6)

comment:1 Changed 13 months ago by teor

Resolution: wontfix
Status: newclosed

Yes, this is the reason:

(On some Unix systems, anybody who can list a socket can connect to it, so Tor is being careful.)

comment:2 Changed 13 months ago by a_p

Isn't that the point of RelaxDirModeCheck to give operators the freedom to allow a group to access the control socket files (of all instances)?

Allowing admins to have the folder group-readable but forcing a specific group makes it
hard to authorize a single group to access the sockets of all instances if every instance runs under a unique user/group.

Last edited 13 months ago by a_p (previous) (diff)

comment:3 Changed 13 months ago by teor

Keywords: easy doc added
Milestone: Tor: unspecified
Resolution: wontfix
Status: closedreopened

.

comment:4 in reply to:  2 ; Changed 13 months ago by teor

Replying to a_p:

Isn't that the point of RelaxDirModeCheck to give operators the freedom to allow a group to access the control socket files (of all instances)?

No, the point of RelaxDirModeCheck is to allow more than one *user* to access the control socket files.

Normally, tor makes sure that the group has no permissions to the directory containing the tor socket.
RelaxDirModeCheck allows the directory to be readable and searchable by the group as well.

Allowing admins to have the folder group-readable but forcing a specific group makes it
hard to authorize a single group to access the sockets of all instances if every instance runs under a unique user/group.

But you can add another user to the tor group.
(If you give a single group access to all those directories, then all the tor users can access each others' directories. Also, some OSes require the user on a directory to be a member of the group on the directory.)

Here's how RelaxDirModeCheck works:

  1. Create tor users U1, U2, ... with unique groups G1, G2, ...
  2. Create another user X that you want to have access to the control sockets
  3. Add X to G1, G2, ...

We should update the man page to include these steps.

comment:5 in reply to:  4 Changed 13 months ago by a_p

thanks for your reply

Replying to teor:

No, the point of RelaxDirModeCheck is to allow more than one *user* to access the control socket files.

Normally, tor makes sure that the group has no permissions to the directory containing the tor socket.
RelaxDirModeCheck allows the directory to be readable and searchable by the group as well.

The important bit to add to the man page is: "The group of the folder containing the controlsocket file must match the primary group of the user used to run tor - even with RelaxDirModeCheck. If they do not match, tor will refuse to create the control socket file."

Last edited 13 months ago by a_p (previous) (diff)

comment:6 Changed 13 months ago by a_p

or better:
a specific description of the requirements

Note: See TracTickets for help on using tickets.