[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Patch to authenticate by uid/gid on ControlSocket
- To: or-dev@xxxxxxxxxxxxx
- Subject: Re: Patch to authenticate by uid/gid on ControlSocket
- From: John Brooks <special@xxxxxxxxxxxxxxxx>
- Date: Sun, 1 Mar 2009 10:47:03 -0700
- Cc: or-dev@xxxxxxxx
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-dev-outgoing@xxxxxxxx
- Delivered-to: or-dev@xxxxxxxx
- Delivery-date: Sun, 01 Mar 2009 12:47:06 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=lBn34bFiWhdOEr6lh27wcVRbU/OanNQHNW5Yo0vtKcc=; b=EykghwkcjuzAEt7Fud4UtScGYu9vZ3FGS8+AZbn57gYGikK1kwjioA7q3BdW+LMzXG U6AM/Ne+7W+oKRzulZjszc/nlOybqLTjXnqTxKKoCPrLa0gv2IjDpWVgR8ECzSQ98SFT jIe2X1WQhsvsGBV+8AKvDlw3GV/SLS5jJybOs=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=X3mFS1umHN7xH8x2WdasZFsBuch6VvAGSkZd+XS83BjvX+3Ud+MgVfaooCLLm/vF+f Lv+jB1cqhYnr5obWn5TrYmZLs+eQOBZXi0R6M5nf1qPTasVHn7Z6avcvk36T5hfKjH3m UZ8+bPAZ+ZQZ/Rw1pu+dogvb0/FQwvVkOdbas=
- In-reply-to: <20090301103709.GA4894@xxxxxxxxxxxxxxxxxx>
- References: <20090301103709.GA4894@xxxxxxxxxxxxxxxxxx>
- Reply-to: or-dev@xxxxxxxxxxxxx
- Sender: owner-or-dev@xxxxxxxxxxxxx
Great idea! This should simplify things quite a lot when using control connections.
I'm surprised fchmod doesn't work, but I don't think using chmod() would be a problem here. Another user very likely wouldn't have the permissions to replace the socket file, and if they did, the chmod() call would then fail as the tor user would not own the new file. If they were already running as the tor user, they could do all sorts of other things and make it really a moot point anyway. I don't see a way that another user could bother tor using that race condition.
- John Brooks
On Sun, Mar 1, 2009 at 3:37 AM, Michael Gold
<torlists@xxxxxxxxxxxxx> wrote:
Hi all,
The attached patch allows tor (0.2.0.34) to automatically authenticate
the client of a Unix-domain control socket, by asking the kernel for the
uid and gid of the remote user. There are still some unresolved issues,
but feedback would be appreciated.
Unauthenticated connections on Unix-domain sockets are now disabled,
even if no authentication is configured; however, tor will always accept
control connections if the client has the same uid and gid as the server
(regardless of authentication settings). The new config file parameters
"ControlAllowUsers" and "ControlAllowGroups" can be used to allow other
users. Each takes a comma-separated list of user/group names; for
groups, any member of a group (as determined by /etc/group) is accepted.
This is similar to the AllowUsers/AllowGroups settings in openssh.
The problem I've run into is that the listener socket permissions are
affected by the umask, and Linux won't let users without write
permission connect (apparently other systems ignore the permissions).
The obvious solution of fchmod(fd, 0777) has no effect; other possible
solutions are:
- Use chmod; this would be vulnerable to a race condition if another
user could delete and replace the socket before the chmod, but it
should be okay if there's a warning in the documentation.
- Change the umask temporarily; this would affect all threads, so it's
only an option if filesystem operations are restricted to one thread.
Any suggestions?
So far this patch has only been tested on Linux, but it seems to work
fine after manually fixing the socket permissions. Testing on other
Unix-like systems would be helpful, if anyone's interested (run
autoreconf before building it).
-- Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAkmqZVQACgkQ+RZl+46r4TdNzgCfdu6TvbQyrNfMWeijKJRpUXjn
1bsAnjPj89471DOj3ho1XF2Fui8YZXP1
=0EF0
-----END PGP SIGNATURE-----