[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #27334 [Core Tor/Tor]: RelaxDirModeCheck on ControlSocket still requires group to m

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #27334 [Core Tor/Tor]: RelaxDirModeCheck on ControlSocket still requires group to m
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Mon, 27 Aug 2018 10:37:09 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 27 Aug 2018 06:37:19 -0400
In-reply-to: <043.f6db70473b69ffcf4f35115c0a10b7d1@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <043.f6db70473b69ffcf4f35115c0a10b7d1@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#27334: RelaxDirModeCheck on ControlSocket still requires group to m
--------------------------+----------------------------------
 Reporter:  a_p           |          Owner:  (none)
     Type:  defect        |         Status:  reopened
 Priority:  Medium        |      Milestone:  Tor: unspecified
Component:  Core Tor/Tor  |        Version:
 Severity:  Normal        |     Resolution:
 Keywords:  easy, doc     |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+----------------------------------

Comment (by teor):

 Replying to [comment:2 a_p]:
 > Isn't that the point of RelaxDirModeCheck to give operators the freedom
 to allow a group to access the control socket files (of all instances)?

 No, the point of RelaxDirModeCheck is to allow more than one *user* to
 access the control socket files.

 Normally, tor makes sure that the group has no permissions to the
 directory containing the tor socket.
 RelaxDirModeCheck allows the directory to be readable and searchable by
 the group as well.

 > Allowing admins to have the folder group-readable but forcing a specific
 group makes it
 > hard to authorize a single group to access the sockets of all instances
 if every instance runs under a unique user/group.

 But you can add another user to the tor group.
 (If you give a single group access to all those directories, then all the
 tor users can access each others' directories. Also, some OSes require the
 user on a directory to be a member of the group on the directory.)

 Here's how RelaxDirModeCheck works:
 1. Create tor users U1, U2, ... with unique groups G1, G2, ...
 2. Create another user X that you want to have access to the control
 sockets
 3. Add X to G1, G2, ...

 We should update the man page to include these steps.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27334#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #27334 [Core Tor/Tor]: RelaxDirModeCheck on ControlSocket still requires group to m
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #27228 [Core Tor/Tor]: pathbias_should_count(): Bug: Circuit X is now being counted
Next by Author: Re: [tor-bugs] #26490 [Applications/Tor Browser]: When first launching 8.0a9 the screen.height starts at 612px
Previous by thread: Re: [tor-bugs] #27334 [Core Tor/Tor]: RelaxDirModeCheck on ControlSocket still requires group to m
Next by thread: Re: [tor-bugs] #27334 [Core Tor/Tor]: RelaxDirModeCheck on ControlSocket still requires group to m
Index(es):
- Author
- Thread