[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #8195 [Tor]: tor and capabilities



#8195: tor and capabilities
-----------------------------+--------------------------------
     Reporter:  weasel       |      Owner:
         Type:  enhancement  |     Status:  needs_revision
     Priority:  normal       |  Milestone:  Tor: 0.2.5.x-final
    Component:  Tor          |    Version:
   Resolution:               |   Keywords:  tor-relay security
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+--------------------------------

Comment (by dgoulet):

 Hrm, so of what I've seen Tor can chown() files *after* the boot time
 process. When the process goes to an unprivileged UID, the chown should
 only work on UID/GID it *owns* (behavior of chown(2)) thus the chown of
 /etc/shadow would be EPERM.

 But now you've plant the "seed of doubt" in my head so I've looked in the
 Linux kernel and the check is actually done like this (fs/attr.c +49)


 {{{
     /* Make sure a caller can chown. */
     if ((ia_valid & ATTR_UID) &&
         (!uid_eq(current_fsuid(), inode->i_uid) ||
          !uid_eq(attr->ia_uid, inode->i_uid)) &&
         !inode_capable(inode, CAP_CHOWN))
         return -EPERM;
 }}}

 Thus the check is done against the capability and the current UID with the
 file UID we are trying to change. I'll make a test just to be *sure* that
 I'm correct here unless I'm not completely wrong. Any case, the test will
 tell us.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8195#comment:14>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs