Opened 6 months ago

Closed 5 months ago

#28128 closed defect (fixed)

v3 client auth: No interned sandbox parameter found

Reported by: pege Owned by: dgoulet
Priority: Medium Milestone: Tor: 0.3.5.x-final
Component: Core Tor/Tor Version: Tor: 0.3.5.3-alpha
Severity: Normal Keywords: tor-hs, sandbox, 035-must
Cc: Actual Points:
Parent ID: Points:
Reviewer: asn Sponsor:

Description

Setting ClientOnionAuthDir /var/lib/tor/client_auth in combination with Sandbox 1 leads to this error:

Oct 19 22:32:15 host tor[18554]: Oct 19 22:32:15.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /var/lib/tor/client_auth (on Tor 0.3.5.3-alpha )
Oct 19 22:32:15 host tor[18554]: Oct 19 22:32:15.000 [warn] Directory /var/lib/tor/client_auth cannot be read: Permission denied

When Sandbox is set the 0, the everything works just fine.

Child Tickets

Change History (11)

comment:1 Changed 6 months ago by nickm

Milestone: Tor: 0.3.5.x-final

comment:2 Changed 6 months ago by dgoulet

Oh right... we need the equivalent of hs_service_lists_fnames_for_sandbox() but for the hs_client.c module.

Simply returning dir name and all files in the directory so the sandbox can accept them.

Now this also needs to be tied in with new files we add at runtime since we can just HUP tor so reload the client auth and the new file should not crash tor! :P

comment:3 Changed 6 months ago by dgoulet

Keywords: tor-hs sandbox added

comment:4 Changed 6 months ago by dgoulet

Now this also needs to be tied in with new files we add at runtime since we can just HUP tor so reload the client auth and the new file should not crash tor! :P

Yeah... that part won't work. We can't add anything in the sandbox filters after initialization.

So until we get a better sandbox system, we'll have to document that Sandbox and client auth will work together but won't if a client is added at runtime (loaded with HUP).

Last edited 6 months ago by dgoulet (previous) (diff)

comment:5 Changed 6 months ago by dgoulet

Owner: set to dgoulet
Status: newaccepted

comment:6 Changed 5 months ago by dgoulet

Keywords: 035-must added

Adding this to 035-must because we at least need to tell our sandbox about ClientOnionAuthDir path and the .auth_private it contains at startup.

comment:7 in reply to:  6 Changed 5 months ago by dgoulet

Replying to dgoulet:

Adding this to 035-must because we at least need to tell our sandbox about ClientOnionAuthDir path and the .auth_private it contains at startup.

Waiiiiiiiiiiit... Client authorization files are loaded _before_ the sandbox is initialized so we don't have to tell the sandbox about those. Tor doesn't write or modify any of the files in that directory so once the sandbox is on, tor should never touch those files again.

The issue is thus with HUP but as discussed, we can't fix that so I'll simply make a manpage patch detailing this issue.

comment:8 Changed 5 months ago by dgoulet

Status: acceptedneeds_review

Documentation fix only. Trivial:

Branch: ticket28128_035_01

comment:9 Changed 5 months ago by dgoulet

Reviewer: asn

comment:10 Changed 5 months ago by asn

Status: needs_reviewmerge_ready

LGTM!

comment:11 Changed 5 months ago by dgoulet

Resolution: fixed
Status: merge_readyclosed

Merged! Thanks.

Note: See TracTickets for help on using tickets.