Opened 11 years ago

Last modified 7 years ago

#782 closed defect (Fixed)

Patch: Open /dev/pf before dropping privileges with TransPort

Reported by: loafier Owned by: nickm
Priority: Low Milestone:
Component: Core Tor/Tor Version: 0.2.0.29-rc
Severity: Keywords:
Cc: loafier, nickm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Currently, when using TransPort and OpenBSD pf, Tor opens /dev/pf
after dropping privileges, so the permissions on /dev/pf must be
modified to allow access to the unprivileged Tor user.

The patch should ensure that /dev/pf is opened while Tor is still
running as root.

Note: diff is to trunk

Index: src/or/config.c
===================================================================
--- src/or/config.c (revision 16230)
+++ src/or/config.c (working copy)
@@ -1060,6 +1060,16 @@

}

}


+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
+ /* Open /dev/pf before dropping privileges. */
+ if (options->TransPort) {
+ if (get_pf_socket() < 0) {
+ *msg = tor_strdup("Unable to open /dev/pf for transparent proxy.");
+ goto rollback;
+ }
+ }
+#endif
+

/* Setuid/setgid as appropriate */

if (options->User
options->Group) {

/* XXXX021 We should only do this the first time through, not on

Index: src/or/connection_edge.c
===================================================================
--- src/or/connection_edge.c (revision 16230)
+++ src/or/connection_edge.c (working copy)
@@ -1641,8 +1641,7 @@

#ifdef TRANS_PF
static int pf_socket = -1;

-static int
-get_pf_socket(void)
+int get_pf_socket(void)

{

int pf;
/* Ideally, this should be opened before dropping privs. */

Index: src/or/or.h
===================================================================
--- src/or/or.h (revision 16230)
+++ src/or/or.h (working copy)
@@ -2939,6 +2939,10 @@

} hostname_type_t;
hostname_type_t parse_extended_hostname(char *address);


+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
+int get_pf_socket(void);
+#endif
+

/* connection_or.c */


void connection_or_remove_from_identity_map(or_connection_t *conn);

[Automatically added by flyspray2trac: Operating System: All]

Child Tickets

Change History (3)

comment:1 Changed 11 years ago by nickm

Looks good to me. Applying to trunk.

comment:2 Changed 11 years ago by nickm

flyspray2trac: bug closed.

comment:3 Changed 7 years ago by nickm

Component: Tor ClientTor
Note: See TracTickets for help on using tickets.