aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2011-05-13 15:46:53 -0400
committerNick Mathewson <nickm@torproject.org>2011-05-15 20:20:29 -0400
commit4b800408fa85ce0ac81a308c42d654b3357180d4 (patch)
tree2d1d3c7153367636ba3c7c62082b2cf08589e689
parent5d147d8527da3c8cff7f5ab5f0d0185d51fff79b (diff)
downloadtor-4b800408fa85ce0ac81a308c42d654b3357180d4.tar
tor-4b800408fa85ce0ac81a308c42d654b3357180d4.tar.gz
Check permissions on the directory holding a control socket
-rw-r--r--changes/bug2792_checkdir8
-rw-r--r--src/or/connection.c40
2 files changed, 48 insertions, 0 deletions
diff --git a/changes/bug2792_checkdir b/changes/bug2792_checkdir
new file mode 100644
index 000000000..10de1deb2
--- /dev/null
+++ b/changes/bug2792_checkdir
@@ -0,0 +1,8 @@
+ o Minor features:
+ - Tor now refuses to create a ControlSocket in a directory that is
+ world-readable (or group-readable if ControlSocketsGroupWritable
+ is 0). This is necessary because some operating systems do not
+ check the permissions on an AF_UNIX socket when programs try to
+ connect to it. Checking permissions on the directory holding
+ the socket, however, seems to work everywhere.
+
diff --git a/src/or/connection.c b/src/or/connection.c
index ab265df1a..b7d6fe408 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -853,6 +853,43 @@ warn_too_many_conns(void)
}
}
+#ifdef HAVE_SYS_UN_H
+/** Check whether we should be willing to open an AF_UNIX socket in
+ * <b>path</b>. Return 0 if we should go ahead and -1 if we shouldn't. */
+static int
+check_location_for_unix_socket(or_options_t *options, const char *path)
+{
+ int r = -1;
+ char *p = tor_strdup(path);
+ cpd_check_t flags = CPD_CHECK_MODE_ONLY;
+ if (get_parent_directory(p)<0)
+ goto done;
+
+ if (options->ControlSocketsGroupWritable)
+ flags |= CPD_GROUP_OK;
+
+ if (check_private_dir(p, flags) < 0) {
+ char *escpath, *escdir;
+ escpath = esc_for_log(path);
+ escdir = esc_for_log(p);
+ log_warn(LD_GENERAL, "Before Tor can create a control socket in %s, the "
+ "directory %s needs to exist, and to be accessible only by the "
+ "user%s account that is running Tor. (On some Unix systems, "
+ "anybody who can list a socket can conect to it, so Tor is "
+ "being careful.)", escpath, escdir,
+ options->ControlSocketsGroupWritable ? " and group" : "");
+ tor_free(escpath);
+ tor_free(escdir);
+ goto done;
+ }
+
+ r = 0;
+ done:
+ tor_free(p);
+ return r;
+}
+#endif
+
/** Bind a new non-blocking socket listening to the socket described
* by <b>listensockaddr</b>.
*
@@ -947,6 +984,9 @@ connection_create_listener(const struct sockaddr *listensockaddr,
* and listeners at the same time */
tor_assert(type == CONN_TYPE_CONTROL_LISTENER);
+ if (check_location_for_unix_socket(get_options(), address) < 0)
+ goto err;
+
log_notice(LD_NET, "Opening %s on %s",
conn_type_to_string(type), address);