[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-bugs] #32756 [Core Tor/Tor]: SocksPolicy has no way to refer to AF_UNIX sockets



#32756: SocksPolicy has no way to refer to AF_UNIX sockets
------------------------------+--------------------
     Reporter:  arma          |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Medium        |  Milestone:
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+--------------------
 Imagine you set your torrc to say
 {{{
 SOCKSPort 0.0.0.0:9050 PreferSOCKSNoAuth IsolateSOCKSAuth
 KeepAliveIsolateSOCKSAuth IsolateClientAddr IPv6Traffic CacheDNS
 CacheIPv4DNS UseIPv4Cache UseDNSCache
 +SOCKSPort unix:/run/tor/socks GroupWritable WorldWritable
 RelaxDirModeCheck CacheDNS CacheIPv4DNS UseIPv4Cache UseDNSCache
 SOCKSPolicy accept 10.0.0.0/8
 SOCKSPolicy accept 127.0.0.0/8
 SOCKSPolicy accept 169.254.0.0/16
 SOCKSPolicy accept 172.0.0.0/8
 SOCKSPolicy accept 192.168.0.0/8
 SOCKSPolicy accept 192.168.192.0/24
 SOCKSPolicy reject *
 }}}

 and then you try to make a connection to your local socks socket. You'll
 get
 {{{
 [notice] {APP} Denying socks connection from untrusted address AF_UNIX.
 }}}

 I think that happens because of the final "reject *" item in the
 sockspolicy.

 How should this person write "and I want to allow connections to the socks
 socket too" in their sockspolicy?

 A workaround in the meantime was to write "SocksPolicy reject *4" at the
 end rather than *. But it seems like being able to explicitly refer to
 AF_UNIX would be a good feature to have. Maybe "SocksPolicy accept unix"
 is the right syntax?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32756>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs