Message ID | 3337d646-c173-ed7f-d04f-46fe92c398cd@ipfire.org |
---|---|
State | Accepted |
Commit | 4680d554fc52813b9e2a1bae3888d0b34dfbb5ad |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id A12E188B018 for <patchwork@web07.i.ipfire.org>; Mon, 11 Mar 2019 20:08:04 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44J8Kw1hB1z4xv57; Mon, 11 Mar 2019 20:08:04 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1552334884; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:list-id:list-unsubscribe:list-subscribe:list-post; bh=sJT13aoqY04SkVxxe4DWioFJUTqsS1UFXvyfP6TuCao=; b=MFrVo1K6ZPWWOUNQr+1ymS/6YEKXUvEJfrO6/L+rHq7gHaBjhuhVejdeXL7d6GWmU3xDJN 1wpt47x2eLUJlvQp20hXMUepq6f6qvhBUqB7fvVre5Ijs1vB6xLAW7ApLhx71NdPGSb3GF LiKZzIuNa3jZEO8HZVKj2hZSEsykWraeNfMb+3etFeEzEecOhMonNZ1FNzDV9nxDzL4Iy1 HSULakQOs7MLpV3GWokn7bA/9yu8bzUAJL1hA+PnkSjA/TeUqBAkGAMzxsOpRKqvqmvuMb VZHkRdi4kmDkZVgbVy1b3cuHKw12CF0YKV7ua8GPDh27ruqV9fBP+jfFVd1Vqg== Received: from [127.0.0.1] (unknown [IPv6:2a0b:f4c1::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44J8Kr47Tdz55gQF for <development@lists.ipfire.org>; Mon, 11 Mar 2019 20:07:59 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1552334881; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=sJT13aoqY04SkVxxe4DWioFJUTqsS1UFXvyfP6TuCao=; b=r/ktkPfEmxNO+X07uMFo53Cz7tdA7KBDLPOs7BNYqCBh8sF1fBnsuDWJwlXwtvhhZA14V9 LGXsZoHZ4sJhe0fyP0cZG3HlNHKp584MEALPd+An6aUVBWX+G+yPOqU3rLhyHwmbYgiKH2 8bPLbyKdwZ0Y9w6XEcLw3w3FZokhVfEY/Bc+ooasIN8dM2tYPJtP9w8U5L4NVYyRg7u9Gd ph4MboBlGRgZOl1Td1g5RWNMuxMa5gKXt7zk4tBVGyD+wVYlhXImjaETDWU6sBgBLuAgJz 4yDs7sVNuW2LMce2aCZDNcX8Ier1IrAwVIiRr3uolgKD+LrL3jJ8m+4VOWsM+w== To: "IPFire: Development-List" <development@lists.ipfire.org> From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org> Subject: [PATCH 2/2] run Tor under dedicated user Organization: IPFire.org Message-ID: <3337d646-c173-ed7f-d04f-46fe92c398cd@ipfire.org> Date: Mon, 11 Mar 2019 20:07:00 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-5.27 / 11.00]; ARC_NA(0.00)[]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; DKIM_SIGNED(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM(-2.17)[-0.722,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:60729, ipnet:2a0b:f4c1::/48, country:AT]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <https://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
[1/2] add IPtables chain for outgoing Tor traffic
|
|
Commit Message
Peter Müller
March 12, 2019, 7:07 a.m. UTC
This allows more-fine granular firewall rules (see first patch for
further information). Further, it prevents other services running as
"nobody" (Apache, ...) from reading Tor relay keys.
Fixes #11779.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
lfs/tor | 6 +++---
src/paks/tor/install.sh | 15 ++++++++++++++-
2 files changed, 17 insertions(+), 4 deletions(-)
Comments
Hi, There is a problem in the script: > On 11 Mar 2019, at 20:07, Peter Müller <peter.mueller@ipfire.org> wrote: > > This allows more-fine granular firewall rules (see first patch for > further information). Further, it prevents other services running as > "nobody" (Apache, ...) from reading Tor relay keys. > > Fixes #11779. > > Signed-off-by: Peter Müller <peter.mueller@ipfire.org> > --- > lfs/tor | 6 +++--- > src/paks/tor/install.sh | 15 ++++++++++++++- > 2 files changed, 17 insertions(+), 4 deletions(-) > > diff --git a/lfs/tor b/lfs/tor > index 384b1b213..2b0e0903a 100644 > --- a/lfs/tor > +++ b/lfs/tor > @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) > DIR_APP = $(DIR_SRC)/$(THISAPP) > TARGET = $(DIR_INFO)/$(THISAPP) > PROG = tor > -PAK_VER = 34 > +PAK_VER = 35 > > DEPS = "" > > @@ -82,8 +82,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > --prefix=/usr \ > --sysconfdir=/etc \ > --localstatedir=/var \ > - --with-tor-user=nobody \ > - --with-tor-group=nobody > + --with-tor-user=tor \ > + --with-tor-group=tor > > cd $(DIR_APP) && make $(MAKETUNING) > cd $(DIR_APP) && make install > diff --git a/src/paks/tor/install.sh b/src/paks/tor/install.sh > index 31c5fecae..e1ed33331 100644 > --- a/src/paks/tor/install.sh > +++ b/src/paks/tor/install.sh > @@ -17,11 +17,24 @@ > # along with IPFire; if not, write to the Free Software # > # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # > # # > -# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. # > +# Copyright (C) 2007-2019 IPFire-Team <info@ipfire.org>. # > # # > ############################################################################ > # > . /opt/pakfire/lib/functions.sh > + > +# Run Tor as dedicated user and make sure user and group exist > +if ! getent group tor &>/dev/null; then > + groupadd -g 119 tor > +fi > + > +if ! getent passwd tor; then > + useradd -u 119 -g tor -d /var/empty -s /bin/false tor > + > + # Adjust some folder permission for new UID/GID > + chown -R tor:tor /var/lib/tor /var/ipfire/tor You are only changing these directories when the user is being created. If the add-on is uninstalled and later installed again the files will have the wrong owner because they are created as somebody else in the build process. So the chown line should be in the build process. The user should also be put into /etc/passwd and /etc/group so that it is always present on all systems as well as during the build process to assign correct ownership of the those directories. -Michael > +fi > + > extract_files > restore_backup ${NAME} > start_service --background ${NAME} > -- > 2.16.4
Hello Michael, > Hi, > > There is a problem in the script: :-( > >> On 11 Mar 2019, at 20:07, Peter Müller <peter.mueller@ipfire.org> wrote: >> >> This allows more-fine granular firewall rules (see first patch for >> further information). Further, it prevents other services running as >> "nobody" (Apache, ...) from reading Tor relay keys. >> >> Fixes #11779. >> >> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >> --- >> lfs/tor | 6 +++--- >> src/paks/tor/install.sh | 15 ++++++++++++++- >> 2 files changed, 17 insertions(+), 4 deletions(-) >> >> diff --git a/lfs/tor b/lfs/tor >> index 384b1b213..2b0e0903a 100644 >> --- a/lfs/tor >> +++ b/lfs/tor >> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) >> DIR_APP = $(DIR_SRC)/$(THISAPP) >> TARGET = $(DIR_INFO)/$(THISAPP) >> PROG = tor >> -PAK_VER = 34 >> +PAK_VER = 35 >> >> DEPS = "" >> >> @@ -82,8 +82,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >> --prefix=/usr \ >> --sysconfdir=/etc \ >> --localstatedir=/var \ >> - --with-tor-user=nobody \ >> - --with-tor-group=nobody >> + --with-tor-user=tor \ >> + --with-tor-group=tor >> >> cd $(DIR_APP) && make $(MAKETUNING) >> cd $(DIR_APP) && make install >> diff --git a/src/paks/tor/install.sh b/src/paks/tor/install.sh >> index 31c5fecae..e1ed33331 100644 >> --- a/src/paks/tor/install.sh >> +++ b/src/paks/tor/install.sh >> @@ -17,11 +17,24 @@ >> # along with IPFire; if not, write to the Free Software # >> # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # >> # # >> -# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. # >> +# Copyright (C) 2007-2019 IPFire-Team <info@ipfire.org>. # >> # # >> ############################################################################ >> # >> . /opt/pakfire/lib/functions.sh >> + >> +# Run Tor as dedicated user and make sure user and group exist >> +if ! getent group tor &>/dev/null; then >> + groupadd -g 119 tor >> +fi >> + >> +if ! getent passwd tor; then >> + useradd -u 119 -g tor -d /var/empty -s /bin/false tor >> + >> + # Adjust some folder permission for new UID/GID >> + chown -R tor:tor /var/lib/tor /var/ipfire/tor > > You are only changing these directories when the user is being created. Yes, this is intentional. > > If the add-on is uninstalled and later installed again the files will have the wrong owner because they are created as somebody else in the build process. > > So the chown line should be in the build process. The user should also be put into /etc/passwd and /etc/group so that it is always present on all systems as well as during the build process to assign correct ownership of the those directories. I tried to run the chown command during the build process, but it failed, as the user Tor was unavailable at build time. As I saw the patches were merged for Core Update 130, I will add some additional patches for adding the Tor user during build time. Do you think manually adding the user via src/paks/tor/install.sh will be still necessary then? Thanks for any hints. Best regards, Peter Müller
Hi, > On 14 Mar 2019, at 14:58, Peter Müller <peter.mueller@ipfire.org> wrote: > > Hello Michael, > >> Hi, >> >> There is a problem in the script: > :-( >> >>> On 11 Mar 2019, at 20:07, Peter Müller <peter.mueller@ipfire.org> wrote: >>> >>> This allows more-fine granular firewall rules (see first patch for >>> further information). Further, it prevents other services running as >>> "nobody" (Apache, ...) from reading Tor relay keys. >>> >>> Fixes #11779. >>> >>> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> >>> --- >>> lfs/tor | 6 +++--- >>> src/paks/tor/install.sh | 15 ++++++++++++++- >>> 2 files changed, 17 insertions(+), 4 deletions(-) >>> >>> diff --git a/lfs/tor b/lfs/tor >>> index 384b1b213..2b0e0903a 100644 >>> --- a/lfs/tor >>> +++ b/lfs/tor >>> @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) >>> DIR_APP = $(DIR_SRC)/$(THISAPP) >>> TARGET = $(DIR_INFO)/$(THISAPP) >>> PROG = tor >>> -PAK_VER = 34 >>> +PAK_VER = 35 >>> >>> DEPS = "" >>> >>> @@ -82,8 +82,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) >>> --prefix=/usr \ >>> --sysconfdir=/etc \ >>> --localstatedir=/var \ >>> - --with-tor-user=nobody \ >>> - --with-tor-group=nobody >>> + --with-tor-user=tor \ >>> + --with-tor-group=tor >>> >>> cd $(DIR_APP) && make $(MAKETUNING) >>> cd $(DIR_APP) && make install >>> diff --git a/src/paks/tor/install.sh b/src/paks/tor/install.sh >>> index 31c5fecae..e1ed33331 100644 >>> --- a/src/paks/tor/install.sh >>> +++ b/src/paks/tor/install.sh >>> @@ -17,11 +17,24 @@ >>> # along with IPFire; if not, write to the Free Software # >>> # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # >>> # # >>> -# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. # >>> +# Copyright (C) 2007-2019 IPFire-Team <info@ipfire.org>. # >>> # # >>> ############################################################################ >>> # >>> . /opt/pakfire/lib/functions.sh >>> + >>> +# Run Tor as dedicated user and make sure user and group exist >>> +if ! getent group tor &>/dev/null; then >>> + groupadd -g 119 tor >>> +fi >>> + >>> +if ! getent passwd tor; then >>> + useradd -u 119 -g tor -d /var/empty -s /bin/false tor >>> + >>> + # Adjust some folder permission for new UID/GID >>> + chown -R tor:tor /var/lib/tor /var/ipfire/tor >> >> You are only changing these directories when the user is being created. > Yes, this is intentional. >> >> If the add-on is uninstalled and later installed again the files will have the wrong owner because they are created as somebody else in the build process. >> >> So the chown line should be in the build process. The user should also be put into /etc/passwd and /etc/group so that it is always present on all systems as well as during the build process to assign correct ownership of the those directories. > I tried to run the chown command during the build process, but it failed, > as the user Tor was unavailable at build time. > > As I saw the patches were merged for Core Update 130, I will add some additional > patches for adding the Tor user during build time. Do you think manually adding > the user via src/paks/tor/install.sh will be still necessary then? Silly me has merged the patch and forgotten about the ownership issue :) I suppose moving the chown command after the if clause would suffice. > > Thanks for any hints. > > Best regards, > Peter Müller > -- > The road to Hades is easy to travel. > -- Bion of Borysthenes
diff --git a/lfs/tor b/lfs/tor index 384b1b213..2b0e0903a 100644 --- a/lfs/tor +++ b/lfs/tor @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 34 +PAK_VER = 35 DEPS = "" @@ -82,8 +82,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ - --with-tor-user=nobody \ - --with-tor-group=nobody + --with-tor-user=tor \ + --with-tor-group=tor cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/paks/tor/install.sh b/src/paks/tor/install.sh index 31c5fecae..e1ed33331 100644 --- a/src/paks/tor/install.sh +++ b/src/paks/tor/install.sh @@ -17,11 +17,24 @@ # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # -# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. # +# Copyright (C) 2007-2019 IPFire-Team <info@ipfire.org>. # # # ############################################################################ # . /opt/pakfire/lib/functions.sh + +# Run Tor as dedicated user and make sure user and group exist +if ! getent group tor &>/dev/null; then + groupadd -g 119 tor +fi + +if ! getent passwd tor; then + useradd -u 119 -g tor -d /var/empty -s /bin/false tor + + # Adjust some folder permission for new UID/GID + chown -R tor:tor /var/lib/tor /var/ipfire/tor +fi + extract_files restore_backup ${NAME} start_service --background ${NAME}