[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] Tor can't read HiddenServicePort unix socket through group permissions when starting as root and using setgid?



Permissions are set so tor should be able to access through the `postfix-test-queue` user:

$ sudo ls -l /var/spool/postfix-test/public/smtpd
srw-rw-rw- 1 postfix-test postfix-test 0 █████ /var/spool/postfix-test/public/smtpd
$ sudo ls -l /var/spool/postfix-test
# ...
drwx--x---  2 postfix-test postfix-test-queue 4096 █████ public
$ sudo -u _tor-test id
uid=130(_tor-test) gid=141(_tor-test) groups=141(_tor-test),1006(postfix-test-queue)
$ cat /etc/tor/instances/test/torrc | grep HiddenServicePort
HiddenServicePort 25 unix:/var/spool/postfix-test/public/smtpd
$ cat /run/tor-instances/test.defaults | grep User
User _tor-test

Running `tor@test` via the default systemctl config shows:

$ ps -ax -o uid,gid,supgid,command | grep /usr/bin/tor
  130   141 141                  /usr/bin/tor --defaults-torrc /run/tor-instances/test.defaults -f /etc/tor/instances/test/torrc

Which is missing the `postfix-test-queue` `1006` user which, for example shows up if I do:

$ sudo -u _tor-test sleep 1000 & ps -ax -o uid,gid,supgid,command | grep sleep
[1] 132314
    0   141 141,1006             sudo -u _tor-test sleep 1000

Connecting using `sudo -u` works (the message indicates successful connection):

$ sudo -u _tor-test curl --unix-socket /var/spool/postfix-test/public/smtpd http://localhost
curl: (1) Received HTTP/0.9 when not allowed

But connecting via tor does not:

$ torsocks --ipv6 curl http://█████.onion:25
█████ ERROR torsocks[134873]: Host unreachable (in socks5_recv_connect_reply() at socks5.c:539)
curl: (7) Couldn't connect to server

But does if I allow access to the socket to everyone:

$ sudo chmod "o+x" /var/spool/postfix-test/public/
$ torsocks --ipv6 curl http://█████.onion:25
curl: (1) Received HTTP/0.9 when not allowed

Tor's relevant source code: Tor: lib/process/setuid.c Source File
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev