Opened 9 years ago

Closed 4 years ago

#5174 closed enhancement (implemented)

Tor relay can listen to ports < 1024 without running as root

Reported by: flupzor Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Rule 11 on the following page states that it is required for Tor to run as root in order to open ports < 1024. Looking at the git log i believe this used to be the case but was fixed (commit b4bd836f46549b6263c8c55eb3bc127884b72340).

The attached this removes the lines where aren't true anymore.

Child Tickets

Attachments (1)

relay.diff (980 bytes) - added by flupzor 9 years ago.

Download all attachments as: .zip

Change History (10)

Changed 9 years ago by flupzor

Attachment: relay.diff added

comment:1 Changed 9 years ago by flupzor

Looks like when hibernation occurs the port is closed and can't be opened again when woken up (because the privileges have been dropped). I'm not sure why this behavior exists.

So, doing a port forward might still be a valid setup.

comment:2 Changed 9 years ago by phobos

Component: WebsiteTor Relay

comment:3 Changed 9 years ago by Sebastian

Component: Tor RelayWebsite

This is a website documentation bug, not a tor bug.

comment:4 Changed 9 years ago by phobos

Component: WebsiteTor Relay

the problem is the relay cannot use ports under 1024 without root, this is a tor bug, not a website bug.

comment:5 Changed 9 years ago by phobos

Owner: phobos deleted
Status: newassigned

comment:6 Changed 8 years ago by nickm

Milestone: Tor: unspecified

Hm? There is no way to bind low ports unless you start with the appropriate capability (e.g., by being root). That's not a bug; that's unix.

That said, the website should do a better job of distinguishing between running as root and starting as root.

comment:7 Changed 8 years ago by nickm

Keywords: tor-relay added

comment:8 Changed 8 years ago by nickm

Component: Tor RelayTor

comment:9 Changed 4 years ago by nickm

Resolution: implemented
Severity: Normal
Status: assignedclosed

We can now use capabilities on linux to avoid dropping the 'bind low ports' cap, if the user asks us to do so. That's about as good as this will get.

Note: See TracTickets for help on using tickets.