Bug#797341: tor: refuses to create AF_LOCAL SOCKS sockets accessible by other users

Sat, 29 Aug 2015 10:27:27 -0700 

Package: tor
Version: 0.2.6.10-1

I tried to use this option:
        SocksPort unix:/var/run/tor-socks
(And also one in a directory owned by the Tor user with mode 0755.)

But Tor refuses to create the socket:
        [warn] Before Tor can create a SOCKS socket in "/var/run/tor-socks",
        the directory "/var/run" needs to exist, and to be accessible only
        by the user and group account that is running Tor.  (On some Unix
        systems, anybody who can list a socket can connect to it, so Tor is
        being careful.)

The point of the socket was to allow access by other users.  I don't see
a reason to restrict Unix SOCKS ports this way, since the TCP ports are
already accessible by all.  The Unix port could be more secure, because
Tor could get the uid of the client and enforce isolation between users.
This seems like a leftover ControlSocket restriction.

- Michael


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64

Kernel: Linux 4.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages tor depends on:
ii  adduser              3.113+nmu3
ii  init-system-helpers  1.23
ii  libc6                2.19-19
ii  libevent-2.0-5       2.0.21-stable-2
ii  libseccomp2          2.2.3-1
ii  libssl1.0.0          1.0.2d-1
ii  libsystemd0          224-2
ii  lsb-base             4.1+Debian14
ii  zlib1g               1:1.2.8.dfsg-2+b1

Versions of packages tor recommends:
ii  logrotate    3.8.7-2
ii  tor-geoipdb  0.2.6.10-1
ii  torsocks     2.1.0-1

Versions of packages tor suggests:
pn  apparmor-utils       <none>
pn  mixmaster            <none>
ii  obfs4proxy           0.0.5-2
ii  obfsproxy            0.2.13-1
ii  socat                1.7.3.0-1
ii  tor-arm              1.4.5.0-1.1
ii  torbrowser-launcher  0.2.0-2

-- Configuration Files:
/etc/tor/torrc changed:
SocksPort 127.0.0.1:900 SessionGroup=900
SocksPort 127.0.0.1:901 SessionGroup=901
SocksPort 127.0.0.1:902 SessionGroup=902
SocksPort 127.0.0.1:903 SessionGroup=903
SocksPort 127.0.0.1:904 SessionGroup=904
SocksPort 127.0.0.1:905 SessionGroup=905
SocksPort 127.0.0.1:906 SessionGroup=906
SocksPort 127.0.0.1:907 SessionGroup=907
SocksPort 127.0.0.1:908 SessionGroup=908
SocksPort 127.0.0.1:909 SessionGroup=909
SocksPolicy accept 74.116.186.120/29
SocksPolicy accept 172.23.0.0/18
SocksPolicy accept 127.0.0.1/32
SocksPolicy reject *
HiddenServiceDir /var/lib/tor/hidden-ssh/
HiddenServicePort 22 127.0.0.1:22
HiddenServiceAuthorizeClient basic terra-mgold
ORPort 443
ORPort 143               # imap
ORPort 3690 NoAdvertise  # subversion
ORPort 8001 NoAdvertise
ORPort 389 NoAdvertise   # ldap
Address 74.116.186.120
Nickname terra
RelayBandwidthRate 75 KBytes
RelayBandwidthBurst 95 KBytes
ContactInfo 4096R/BA8239D3BD1DE48C
ExitPolicy reject *:* # no exits allowed


-- no debconf information

Attachment: signature.asc
Description: Digital signature

Reply via email to