r17664@tombo: nickm | 2008-08-06 12:32:09 -0400

Patch from Christopher Davis: open /dev/pf before dropping privileges. Fixes bug 782. Backport candidate. svn:r16450
author: Nick Mathewson <nickm@torproject.org> 2008-08-06 16:32:17 +0000
committer: Nick Mathewson <nickm@torproject.org> 2008-08-06 16:32:17 +0000
commit: 635f3c8aeef717d03a86117dfa81944fb6788bca (patch)
tree: e9a99b885c3f828119398d92388f1e808cdd06a9 /src/or
parent: 2905291af2c3719bdd482e8c6f59ec983fe0e827 (diff)
download: tor-635f3c8aeef717d03a86117dfa81944fb6788bca.tar
tor-635f3c8aeef717d03a86117dfa81944fb6788bca.tar.gz
3 files changed, 16 insertions, 2 deletions
diff --git a/src/or/config.c b/src/or/config.c
index 201a621e6..0edea45bd 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -1059,6 +1059,16 @@ options_act_reversible(or_options_t *old_options, char **msg)
     }
   }
 
+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
+  /* Open /dev/pf before dropping privileges. */
+  if (options->TransPort) {
+    if (get_pf_socket() < 0) {
+      *msg = tor_strdup("Unable to open /dev/pf for transparent proxy.");
+      goto rollback;
+    }
+  }
+#endif
+
   /* Setuid/setgid as appropriate */
   if (options->User || options->Group) {
     /* XXXX021 We should only do this the first time through, not on
diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index 123c011ff..0746569a9 100644
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1653,11 +1653,11 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
 
 #ifdef TRANS_PF
 static int pf_socket = -1;
-static int
+int
 get_pf_socket(void)
 {
   int pf;
-  /*  Ideally, this should be opened before dropping privs. */
+  /*  This should be opened before dropping privs. */
   if (pf_socket >= 0)
     return pf_socket;
 
diff --git a/src/or/or.h b/src/or/or.h
index 40b9efae9..61ae79712 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2937,6 +2937,10 @@ typedef enum hostname_type_t {
 } hostname_type_t;
 hostname_type_t parse_extended_hostname(char *address);
 
+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
+int get_pf_socket(void);
+#endif
+
 /********************************* connection_or.c ***************************/
 
 void connection_or_remove_from_identity_map(or_connection_t *conn);
author	Nick Mathewson <nickm@torproject.org>	2008-08-06 16:32:17 +0000
committer	Nick Mathewson <nickm@torproject.org>	2008-08-06 16:32:17 +0000
commit	635f3c8aeef717d03a86117dfa81944fb6788bca (patch)
tree	e9a99b885c3f828119398d92388f1e808cdd06a9 /src/or
parent	2905291af2c3719bdd482e8c6f59ec983fe0e827 (diff)
download	tor-635f3c8aeef717d03a86117dfa81944fb6788bca.tar tor-635f3c8aeef717d03a86117dfa81944fb6788bca.tar.gz