[tor-dev] Tor can't read HiddenServicePort unix socket through group permissions when starting as root and using setgid?

Wed, 06 Jul 2022 01:23:59 -0700 

Permissions are set so tor should be able to access through the 
`postfix-test-queue` user:

> $ sudo ls -l /var/spool/postfix-test/public/smtpd
> srw-rw-rw- 1 postfix-test postfix-test 0 █████ 
> /var/spool/postfix-test/public/smtpd
> $ sudo ls -l /var/spool/postfix-test
> # ...
> drwx--x--- 2 postfix-test postfix-test-queue 4096 █████ public
> $ sudo -u _tor-test id
> uid=130(_tor-test) gid=141(_tor-test) 
> groups=141(_tor-test),1006(postfix-test-queue)
> $ cat /etc/tor/instances/test/torrc | grep HiddenServicePort
> HiddenServicePort 25 unix:/var/spool/postfix-test/public/smtpd
> $ cat /run/tor-instances/test.defaults | grep User
> User _tor-test

Running `tor@test` via the default systemctl config shows:

> $ ps -ax -o uid,gid,supgid,command | grep /usr/bin/tor
> 130 141 141 /usr/bin/tor --defaults-torrc /run/tor-instances/test.defaults -f 
> /etc/tor/instances/test/torrc

Which is missing the `postfix-test-queue` `1006` user which, for example shows 
up if I do:

> $ sudo -u _tor-test sleep 1000 & ps -ax -o uid,gid,supgid,command | grep sleep
> [1] 132314
> 0 141 141,1006 sudo -u _tor-test sleep 1000

Connecting using `sudo -u` works (the message indicates successful connection):

> $ sudo -u _tor-test curl --unix-socket /var/spool/postfix-test/public/smtpd 
> http://localhost
> curl: (1) Received HTTP/0.9 when not allowed

But connecting via tor does not:

> $ torsocks --ipv6 curl http://█████.onion:25
> █████ ERROR torsocks[134873]: Host unreachable (in 
> socks5_recv_connect_reply() at socks5.c:539)
> curl: (7) Couldn't connect to server

But does if I allow access to the socket to everyone:

> $ sudo chmod "o+x" /var/spool/postfix-test/public/
> $ torsocks --ipv6 curl http://█████.onion:25
> curl: (1) Received HTTP/0.9 when not allowed

Tor's relevant source code: [Tor: lib/process/setuid.c Source 
File](https://tpo.pages.torproject.net/core/doc/tor/setuid_8c_source.html)
_______________________________________________
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Reply via email to