[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/release-0.2.5] Restore functionality for CookieAuthFileGroupReadable.
commit 0808ed83f9cf312abe229d0956f0b0132a79962d
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Fri Aug 15 08:30:44 2014 -0400
Restore functionality for CookieAuthFileGroupReadable.
When we merged the cookieauthfile creation logic in 33c3e60a37, we
accidentally took out this feature. Fixes bug 12864, bugfix on
0.2.5.1-alpha.
Also adds an ExtORPortCookieAuthFileGroupReadable, since there's no
reason not to.
---
changes/bug12864 | 7 +++++++
doc/tor.1.txt | 7 +++++++
src/or/config.c | 11 ++++++++++-
src/or/config.h | 2 +-
src/or/control.c | 1 +
src/or/ext_orport.c | 1 +
src/or/or.h | 2 ++
7 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/changes/bug12864 b/changes/bug12864
new file mode 100644
index 0000000..79e751f
--- /dev/null
+++ b/changes/bug12864
@@ -0,0 +1,7 @@
+ o Minor bugfixes:
+ - Restore the functionality of CookieAuthFileGroupReadable. Fixes bug
+ 12864; bugfix on 0.2.5.1-alpha.
+
+ o Minor features:
+ - Add an ExtORPortCookieAuthFileGroupReadable option to make the
+ cookie file for the ExtORPort g+r by default.
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 93d302e..a85bc34 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -224,6 +224,13 @@ GENERAL OPTIONS
for the Extended ORPort's cookie file -- the cookie file is needed
for pluggable transports to communicate through the Extended ORPort.
+[[ExtORPortCookieAuthFileGroupReadable]] **ExtORPortCookieAuthFileGroupReadable** **0**|**1**::
+ If this option is set to 0, don't allow the filesystem group to read the
+ Extende OR Port cookie file. If the option is set to 1, make the cookie
+ file readable by the default GID. [Making the file readable by other
+ groups is not yet implemented; let us know if you need this for some
+ reason.] (Default: 0)
+
[[ConnLimit]] **ConnLimit** __NUM__::
The minimum number of file descriptors that must be available to the Tor
process before it will start. Tor will ask the OS for as many file
diff --git a/src/or/config.c b/src/or/config.c
index 2661ce3..20fde3b 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -238,6 +238,7 @@ static config_var_t option_vars_[] = {
V(ExtendAllowPrivateAddresses, BOOL, "0"),
VPORT(ExtORPort, LINELIST, NULL),
V(ExtORPortCookieAuthFile, STRING, NULL),
+ V(ExtORPortCookieAuthFileGroupReadable, BOOL, "0"),
V(ExtraInfoStatistics, BOOL, "1"),
V(FallbackDir, LINELIST, NULL),
@@ -6828,7 +6829,7 @@ config_maybe_load_geoip_files_(const or_options_t *options,
* <b>cookie_is_set_out</b> to True. */
int
init_cookie_authentication(const char *fname, const char *header,
- int cookie_len,
+ int cookie_len, int group_readable,
uint8_t **cookie_out, int *cookie_is_set_out)
{
char cookie_file_str_len = strlen(header) + cookie_len;
@@ -6861,6 +6862,14 @@ init_cookie_authentication(const char *fname, const char *header,
goto done;
}
+#ifndef _WIN32
+ if (group_readable) {
+ if (chmod(fname, 0640)) {
+ log_warn(LD_FS,"Unable to make %s group-readable.", escaped(fname));
+ }
+ }
+#endif
+
/* Success! */
log_info(LD_GENERAL, "Generated auth cookie file in '%s'.", escaped(fname));
*cookie_is_set_out = 1;
diff --git a/src/or/config.h b/src/or/config.h
index bf38613..8a1919c 100644
--- a/src/or/config.h
+++ b/src/or/config.h
@@ -97,7 +97,7 @@ uint32_t get_effective_bwburst(const or_options_t *options);
char *get_transport_bindaddr_from_config(const char *transport);
int init_cookie_authentication(const char *fname, const char *header,
- int cookie_len,
+ int cookie_len, int group_readable,
uint8_t **cookie_out, int *cookie_is_set_out);
or_options_t *options_new(void);
diff --git a/src/or/control.c b/src/or/control.c
index 9285fc5..ec63506 100644
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -4666,6 +4666,7 @@ init_control_cookie_authentication(int enabled)
fname = get_controller_cookie_file_name();
retval = init_cookie_authentication(fname, "", /* no header */
AUTHENTICATION_COOKIE_LEN,
+ get_options()->CookieAuthFileGroupReadable,
&authentication_cookie,
&authentication_cookie_is_set);
tor_free(fname);
diff --git a/src/or/ext_orport.c b/src/or/ext_orport.c
index 0d28a91..9b550ee 100644
--- a/src/or/ext_orport.c
+++ b/src/or/ext_orport.c
@@ -143,6 +143,7 @@ init_ext_or_cookie_authentication(int is_enabled)
fname = get_ext_or_auth_cookie_file_name();
retval = init_cookie_authentication(fname, EXT_OR_PORT_AUTH_COOKIE_HEADER,
EXT_OR_PORT_AUTH_COOKIE_HEADER_LEN,
+ get_options()->ExtORPortCookieAuthFileGroupReadable,
&ext_or_auth_cookie,
&ext_or_auth_cookie_is_set);
tor_free(fname);
diff --git a/src/or/or.h b/src/or/or.h
index 131bce3..0f1457f 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -3801,6 +3801,8 @@ typedef struct {
char *ExtORPortCookieAuthFile; /**< Filesystem location of Extended
* ORPort authentication cookie. */
int CookieAuthFileGroupReadable; /**< Boolean: Is the CookieAuthFile g+r? */
+ int ExtORPortCookieAuthFileGroupReadable; /**< Boolean: Is the
+ * ExtORPortCookieAuthFile g+r? */
int LeaveStreamsUnattached; /**< Boolean: Does Tor attach new streams to
* circuits itself (0), or does it expect a controller
* to cope? (1) */
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits