Debian Bug report logs -
#797341
tor: refuses to create AF_LOCAL SOCKS sockets accessible by other users
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Peter Palfrader <weasel@debian.org>:
Bug#797341; Package tor.
(Sat, 29 Aug 2015 17:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gold <michael@bitplane.org>:
New Bug report received and forwarded. Copy sent to Peter Palfrader <weasel@debian.org>.
(Sat, 29 Aug 2015 17:27:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: tor
Version: 0.2.6.10-1
I tried to use this option:
SocksPort unix:/var/run/tor-socks
(And also one in a directory owned by the Tor user with mode 0755.)
But Tor refuses to create the socket:
[warn] Before Tor can create a SOCKS socket in "/var/run/tor-socks",
the directory "/var/run" needs to exist, and to be accessible only
by the user and group account that is running Tor. (On some Unix
systems, anybody who can list a socket can connect to it, so Tor is
being careful.)
The point of the socket was to allow access by other users. I don't see
a reason to restrict Unix SOCKS ports this way, since the TCP ports are
already accessible by all. The Unix port could be more secure, because
Tor could get the uid of the client and enforce isolation between users.
This seems like a leftover ControlSocket restriction.
- Michael
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64
Kernel: Linux 4.1.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages tor depends on:
ii adduser 3.113+nmu3
ii init-system-helpers 1.23
ii libc6 2.19-19
ii libevent-2.0-5 2.0.21-stable-2
ii libseccomp2 2.2.3-1
ii libssl1.0.0 1.0.2d-1
ii libsystemd0 224-2
ii lsb-base 4.1+Debian14
ii zlib1g 1:1.2.8.dfsg-2+b1
Versions of packages tor recommends:
ii logrotate 3.8.7-2
ii tor-geoipdb 0.2.6.10-1
ii torsocks 2.1.0-1
Versions of packages tor suggests:
pn apparmor-utils <none>
pn mixmaster <none>
ii obfs4proxy 0.0.5-2
ii obfsproxy 0.2.13-1
ii socat 1.7.3.0-1
ii tor-arm 1.4.5.0-1.1
ii torbrowser-launcher 0.2.0-2
-- Configuration Files:
/etc/tor/torrc changed:
SocksPort 127.0.0.1:900 SessionGroup=900
SocksPort 127.0.0.1:901 SessionGroup=901
SocksPort 127.0.0.1:902 SessionGroup=902
SocksPort 127.0.0.1:903 SessionGroup=903
SocksPort 127.0.0.1:904 SessionGroup=904
SocksPort 127.0.0.1:905 SessionGroup=905
SocksPort 127.0.0.1:906 SessionGroup=906
SocksPort 127.0.0.1:907 SessionGroup=907
SocksPort 127.0.0.1:908 SessionGroup=908
SocksPort 127.0.0.1:909 SessionGroup=909
SocksPolicy accept 74.116.186.120/29
SocksPolicy accept 172.23.0.0/18
SocksPolicy accept 127.0.0.1/32
SocksPolicy reject *
HiddenServiceDir /var/lib/tor/hidden-ssh/
HiddenServicePort 22 127.0.0.1:22
HiddenServiceAuthorizeClient basic terra-mgold
ORPort 443
ORPort 143 # imap
ORPort 3690 NoAdvertise # subversion
ORPort 8001 NoAdvertise
ORPort 389 NoAdvertise # ldap
Address 74.116.186.120
Nickname terra
RelayBandwidthRate 75 KBytes
RelayBandwidthBurst 95 KBytes
ContactInfo 4096R/BA8239D3BD1DE48C
ExitPolicy reject *:* # no exits allowed
-- no debconf information
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#797341; Package tor.
(Mon, 19 Oct 2015 17:48:36 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter Palfrader <weasel@debian.org>:
Extra info received and forwarded to list.
(Mon, 19 Oct 2015 17:48:36 GMT) (full text, mbox, link).
Message #10 received at 797341@bugs.debian.org (full text, mbox, reply):
On Sat, 29 Aug 2015, Michael Gold wrote:
> I tried to use this option:
> SocksPort unix:/var/run/tor-socks
> (And also one in a directory owned by the Tor user with mode 0755.)
>
> But Tor refuses to create the socket:
> [warn] Before Tor can create a SOCKS socket in "/var/run/tor-socks",
> the directory "/var/run" needs to exist, and to be accessible only
> by the user and group account that is running Tor. (On some Unix
> systems, anybody who can list a socket can connect to it, so Tor is
> being careful.)
>
> The point of the socket was to allow access by other users. I don't see
> a reason to restrict Unix SOCKS ports this way, since the TCP ports are
> already accessible by all. The Unix port could be more secure, because
> Tor could get the uid of the client and enforce isolation between users.
> This seems like a leftover ControlSocket restriction.
I tend to agree. Do you want to file a ticket upstream at
https://trac.torproject.org/? If not, I can forward it.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
Information forwarded
to debian-bugs-dist@lists.debian.org, Peter Palfrader <weasel@debian.org>:
Bug#797341; Package tor.
(Tue, 20 Oct 2015 03:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gold <michael@bitplane.org>:
Extra info received and forwarded to list. Copy sent to Peter Palfrader <weasel@debian.org>.
(Tue, 20 Oct 2015 03:57:04 GMT) (full text, mbox, link).
Message #15 received at 797341@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Mon, Oct 19, 2015 at 19:27:59 +0200, Peter Palfrader wrote:
> I tend to agree. Do you want to file a ticket upstream at
> https://trac.torproject.org/? If not, I can forward it.
forwarded 797341 https://trac.torproject.org/projects/tor/ticket/17388
thanks
I wasn't able to create an account due to a series of intractable
CAPTCHAs, so I used the cypherpunks account.
-- Michael
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Peter Palfrader <weasel@debian.org>:
You have taken responsibility.
(Wed, 16 Mar 2016 19:57:07 GMT) (full text, mbox, link).
Notification sent
to Michael Gold <michael@bitplane.org>:
Bug acknowledged by developer.
(Wed, 16 Mar 2016 19:57:07 GMT) (full text, mbox, link).
Message #22 received at 797341-done@bugs.debian.org (full text, mbox, reply):
On Sat, 29 Aug 2015, Michael Gold wrote:
> I tried to use this option:
> SocksPort unix:/var/run/tor-socks
> (And also one in a directory owned by the Tor user with mode 0755.)
>
> But Tor refuses to create the socket:
> [warn] Before Tor can create a SOCKS socket in "/var/run/tor-socks",
> the directory "/var/run" needs to exist, and to be accessible only
> by the user and group account that is running Tor. (On some Unix
> systems, anybody who can list a socket can connect to it, so Tor is
> being careful.)
I think this is fixed with the WorldWritable socket option from 0.2.7.2:
- Add GroupWritable and WorldWritable options to unix-socket based
SocksPort and ControlPort options. These options apply to a single
socket, and override {Control,Socks}SocketsGroupWritable. Closes
ticket 15220.
At least
| SocksPort unix:/var/run/tor-socks WorldWritable
works for me.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 14 Apr 2016 07:29:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Nov 2 02:03:19 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.