[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Could tor drop privileges even earlier? (before trying to access anything on the filesystem beyond its torrc files)



Fedora/CentOS starts the tor service as root and drops
privileges to user 'toranon' due to the torrc 'User' parameter by default.

Also by default the tor service runs in a SELinux confined domain (tor_t). That means 
root in that domain can NOT access just any files regardless
of DAC filesystem permissions (DAC_OVERRIDE is not granted by default). 

Which results in the situation that during startup (before privileges
are dropped and user is switched to 'toranon') tor can not access
the hiddenservicedir without allowing DAC_OVERRIDE or changing filesystem permissions, 
but it could if at that point privileges were already switched to the user specified in the torrc file.


From my point of view the nicest solution would be if tor drops
privileges before it accesses anything on the filesystem - 
which would solve above problem. Would that introduce other problems?

Is there a specific reason why tor drops privileges later?

(this is about running tor and tor in --verify-config mode)


context:
https://bugzilla.redhat.com/show_bug.cgi?id=1602171 
(I consider this problem solved via the workaround but
I'm still interested in the above question)

-- 
https://twitter.com/nusenu_
https://mastodon.social/@nusenu

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev