diff options
author | Nick Mathewson <nickm@torproject.org> | 2011-05-13 15:46:53 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2011-05-15 20:20:29 -0400 |
commit | 4b800408fa85ce0ac81a308c42d654b3357180d4 (patch) | |
tree | 2d1d3c7153367636ba3c7c62082b2cf08589e689 | |
parent | 5d147d8527da3c8cff7f5ab5f0d0185d51fff79b (diff) | |
download | tor-4b800408fa85ce0ac81a308c42d654b3357180d4.tar tor-4b800408fa85ce0ac81a308c42d654b3357180d4.tar.gz |
Check permissions on the directory holding a control socket
-rw-r--r-- | changes/bug2792_checkdir | 8 | ||||
-rw-r--r-- | src/or/connection.c | 40 |
2 files changed, 48 insertions, 0 deletions
diff --git a/changes/bug2792_checkdir b/changes/bug2792_checkdir new file mode 100644 index 000000000..10de1deb2 --- /dev/null +++ b/changes/bug2792_checkdir @@ -0,0 +1,8 @@ + o Minor features: + - Tor now refuses to create a ControlSocket in a directory that is + world-readable (or group-readable if ControlSocketsGroupWritable + is 0). This is necessary because some operating systems do not + check the permissions on an AF_UNIX socket when programs try to + connect to it. Checking permissions on the directory holding + the socket, however, seems to work everywhere. + diff --git a/src/or/connection.c b/src/or/connection.c index ab265df1a..b7d6fe408 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -853,6 +853,43 @@ warn_too_many_conns(void) } } +#ifdef HAVE_SYS_UN_H +/** Check whether we should be willing to open an AF_UNIX socket in + * <b>path</b>. Return 0 if we should go ahead and -1 if we shouldn't. */ +static int +check_location_for_unix_socket(or_options_t *options, const char *path) +{ + int r = -1; + char *p = tor_strdup(path); + cpd_check_t flags = CPD_CHECK_MODE_ONLY; + if (get_parent_directory(p)<0) + goto done; + + if (options->ControlSocketsGroupWritable) + flags |= CPD_GROUP_OK; + + if (check_private_dir(p, flags) < 0) { + char *escpath, *escdir; + escpath = esc_for_log(path); + escdir = esc_for_log(p); + log_warn(LD_GENERAL, "Before Tor can create a control socket in %s, the " + "directory %s needs to exist, and to be accessible only by the " + "user%s account that is running Tor. (On some Unix systems, " + "anybody who can list a socket can conect to it, so Tor is " + "being careful.)", escpath, escdir, + options->ControlSocketsGroupWritable ? " and group" : ""); + tor_free(escpath); + tor_free(escdir); + goto done; + } + + r = 0; + done: + tor_free(p); + return r; +} +#endif + /** Bind a new non-blocking socket listening to the socket described * by <b>listensockaddr</b>. * @@ -947,6 +984,9 @@ connection_create_listener(const struct sockaddr *listensockaddr, * and listeners at the same time */ tor_assert(type == CONN_TYPE_CONTROL_LISTENER); + if (check_location_for_unix_socket(get_options(), address) < 0) + goto err; + log_notice(LD_NET, "Opening %s on %s", conn_type_to_string(type), address); |