[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #8195 [Tor]: tor and capabilities



#8195: tor and capabilities
-----------------------------+--------------------------------
     Reporter:  weasel       |      Owner:
         Type:  enhancement  |     Status:  needs_revision
     Priority:  normal       |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor          |    Version:
   Resolution:               |   Keywords:  tor-relay security
Actual Points:               |  Parent ID:
       Points:               |
-----------------------------+--------------------------------

Comment (by dgoulet):

 Here is a "testing plan" to test capabilities in Tor.

 As far as it's been investigated, Tor seems to need the NET_BIND_SERVICE
 and CHOWN capabilities to work. Pluggable transport spawned could be an
 issue here for missing capabilities but that would require individual
 testing with each supported PT.

 The needed test would require root privileges (UID = 0). The target here
 is to test for each capabilities that we are interested in before setting
 it and after to ensure that it has been applied correctly.

 Furthermore, for setuid(), Tor needs briefly the SETUID/SETGID
 capabilities thus this must be tested also with the current
 implementation.

 *) List capabilities
   1) List default capabilities and keep aside the list.
   2) Set capabilities PRE setuid()
   3) Match capabilities by listing the three sets (Effective, Permitted
 and Inheritable) and make sure we only have what's been set prior in the
 PRE step vis-a-vis the default cap. list.
   4) Set capabilities POST setuid()
   5) Match capabilities by listing the three sets (Effective, Permitted
 and Inheritable) and make sure we only have what's been set prior in the
 POST step vis-a-vis the default cap. list.

 *) Bind privileged port with a unprivileged user.
   1) Use bind() and make sure we are *unable* to do it expecting an EPERM.
   2) Set capabilities PRE setuid()
   3) setuid() to unpriv. user.
   4) Set capabilities POST setuid()
   5) Bind to privilege port and expect SUCCESS.

 *) Chown file
   1) Create 2 temporary file (A and B) with root:root and 660
   2) Try to chown the A file to user:root, expect SUCCESS
   3) Set capabilities PRE setuid()
   4) setuid() to unpriv. user.
   5) Set capabilities POST setuid()
   6) Chown the B file to user:root expect EPERM
   7) Chown the A file to user:user expert SUCCESS
 (This capability needs to be confirmed if really needed.)

 *) Setuid
   1) Set PRE setuid() capabilities
   2) Setuid() to unpriv user, expect SUCCESS
   3) Set POST setuid() capabilities
   4) Setuid() to unpriv *other* user, expect EPERM

 *) Inheritance of capabilities for PT
   1) Set Tor capabilities
   2) fork() + execve()
   3) List capabilities in the new process and make sure they match the
 expected once which should be NET BIND SERVICE and CHOWN for now.
   4) Do bind + chown test inside the new process (see tests above).

 *) Confirm that we don't have default capabilities enabled or some
 privileged one.
   1) Create a fifo file (CAP_MKNOD). That should be enable by default.
 expect SUCCESS.
   2) Create INET raw socket (CAP_NET_RAW), expect EPERM
   3) Set Tor capabilities
   4) Repeat fifo creation attempt, expect EPERM
   5) Repeat raw socket, expect EPERM.

 Quick draft for now on where I'm heading. Not sure yet how I can integrate
 that in the Tor tests repostiory especially with root but at least there
 is a basic plan now.

 Nothing final here so please improve and add ideas! :)

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8195#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs