From patchwork Tue Mar 12 07:07:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2147 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id A12E188B018 for ; Mon, 11 Mar 2019 20:08:04 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44J8Kw1hB1z4xv57; Mon, 11 Mar 2019 20:08:04 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1552334884; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:list-id:list-unsubscribe:list-subscribe:list-post; bh=sJT13aoqY04SkVxxe4DWioFJUTqsS1UFXvyfP6TuCao=; b=MFrVo1K6ZPWWOUNQr+1ymS/6YEKXUvEJfrO6/L+rHq7gHaBjhuhVejdeXL7d6GWmU3xDJN 1wpt47x2eLUJlvQp20hXMUepq6f6qvhBUqB7fvVre5Ijs1vB6xLAW7ApLhx71NdPGSb3GF LiKZzIuNa3jZEO8HZVKj2hZSEsykWraeNfMb+3etFeEzEecOhMonNZ1FNzDV9nxDzL4Iy1 HSULakQOs7MLpV3GWokn7bA/9yu8bzUAJL1hA+PnkSjA/TeUqBAkGAMzxsOpRKqvqmvuMb VZHkRdi4kmDkZVgbVy1b3cuHKw12CF0YKV7ua8GPDh27ruqV9fBP+jfFVd1Vqg== Received: from [127.0.0.1] (unknown [IPv6:2a0b:f4c1::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44J8Kr47Tdz55gQF for ; Mon, 11 Mar 2019 20:07:59 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1552334881; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=sJT13aoqY04SkVxxe4DWioFJUTqsS1UFXvyfP6TuCao=; b=r/ktkPfEmxNO+X07uMFo53Cz7tdA7KBDLPOs7BNYqCBh8sF1fBnsuDWJwlXwtvhhZA14V9 LGXsZoHZ4sJhe0fyP0cZG3HlNHKp584MEALPd+An6aUVBWX+G+yPOqU3rLhyHwmbYgiKH2 8bPLbyKdwZ0Y9w6XEcLw3w3FZokhVfEY/Bc+ooasIN8dM2tYPJtP9w8U5L4NVYyRg7u9Gd ph4MboBlGRgZOl1Td1g5RWNMuxMa5gKXt7zk4tBVGyD+wVYlhXImjaETDWU6sBgBLuAgJz 4yDs7sVNuW2LMce2aCZDNcX8Ier1IrAwVIiRr3uolgKD+LrL3jJ8m+4VOWsM+w== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH 2/2] run Tor under dedicated user Organization: IPFire.org Message-ID: <3337d646-c173-ed7f-d04f-46fe92c398cd@ipfire.org> Date: Mon, 11 Mar 2019 20:07:00 +0000 MIME-Version: 1.0 Content-Language: en-US X-Spamd-Result: default: False [-5.27 / 11.00]; ARC_NA(0.00)[]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; DKIM_SIGNED(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM(-2.17)[-0.722,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:60729, ipnet:2a0b:f4c1::/48, country:AT]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This allows more-fine granular firewall rules (see first patch for further information). Further, it prevents other services running as "nobody" (Apache, ...) from reading Tor relay keys. Fixes #11779. Signed-off-by: Peter Müller --- lfs/tor | 6 +++--- src/paks/tor/install.sh | 15 ++++++++++++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/lfs/tor b/lfs/tor index 384b1b213..2b0e0903a 100644 --- a/lfs/tor +++ b/lfs/tor @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 34 +PAK_VER = 35 DEPS = "" @@ -82,8 +82,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ - --with-tor-user=nobody \ - --with-tor-group=nobody + --with-tor-user=tor \ + --with-tor-group=tor cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/paks/tor/install.sh b/src/paks/tor/install.sh index 31c5fecae..e1ed33331 100644 --- a/src/paks/tor/install.sh +++ b/src/paks/tor/install.sh @@ -17,11 +17,24 @@ # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # -# Copyright (C) 2007 IPFire-Team . # +# Copyright (C) 2007-2019 IPFire-Team . # # # ############################################################################ # . /opt/pakfire/lib/functions.sh + +# Run Tor as dedicated user and make sure user and group exist +if ! getent group tor &>/dev/null; then + groupadd -g 119 tor +fi + +if ! getent passwd tor; then + useradd -u 119 -g tor -d /var/empty -s /bin/false tor + + # Adjust some folder permission for new UID/GID + chown -R tor:tor /var/lib/tor /var/ipfire/tor +fi + extract_files restore_backup ${NAME} start_service --background ${NAME}