From patchwork Tue Mar 12 07:07:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2146 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id C15DD88B018 for ; Mon, 11 Mar 2019 20:07:24 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44J8K76p7gz57C6T; Mon, 11 Mar 2019 20:07:23 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1552334844; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:list-id:list-unsubscribe:list-subscribe:list-post; bh=gGl7q3Qa7bVSYj1EpGkfPQl11ui8M9/wOHTu/Nea+J4=; b=nQT5GfsxeCZWWZNOeFe3La5lJ+4fWuTtGaftQ2mfeBFyRfOprYZQ+dOaFEVPMy2ZbKIavk RJxOTNUOVyWmM9QMTlShaTSEwP6FhGuVwDvo7ir7ZJHD3cXauiXrR5lPV0L7ydtgeu7f12 7f1sci/bCsipXqArLwgXEJaTyHXLN6cUJZ/CyMrlq75FHkgaqfE9iDYIkNxsdfKQwmf+P9 IFOjDNTrJJGaogccfm+8X9XR4vb5nmh47gfiGJMou+sR2sVjDMLeROhz+3wvfkYoJjmNEa S3eTtFQCST9H8iwBY6+mw3xDjpLNvfPh7PjIx7J64VHDxPcf6l6evMrKOWlN+w== Received: from [127.0.0.1] (unknown [IPv6:2a0b:f4c1::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44J8K43NzLz4xv57 for ; Mon, 11 Mar 2019 20:07:20 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1552334841; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=gGl7q3Qa7bVSYj1EpGkfPQl11ui8M9/wOHTu/Nea+J4=; b=qBnrpQCF3On0M+yFWd/MxzDWS7LoTfVEcDj55VvBCBrRmVfU78KkLIlk+HRNUAvcxPVFIr jxQr/pY1OyPTPNf+QdBQvLfHPxDbA9LW4GaQoJcVY5R2OzSILGKdA6g1yI6t0dkqxXpICj zI2rsknbdvyKm2ogfGoVaLQvId85ZC66PujeL4CWwhmh3nCte+jk+SSjq9swlIe1+amRvO EYwHBXL2yx21vCD3iSuX3Q2joO4a3EEmGnATM47Gk+pome8eJv5fodqSDwDmjQ+agg3Sw8 fjeCxlDSkohH4Sdmnq0HVn5DvPwdeQZhaLnBKxAOMQoPiKngZBqo8gEa3wMM2g== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Organization: IPFire.org Subject: [PATCH 1/2] add IPtables chain for outgoing Tor traffic Message-ID: <839d952d-a9d0-db21-3f39-306a0ebacc9f@ipfire.org> Date: Mon, 11 Mar 2019 20:07:00 +0000 MIME-Version: 1.0 Content-Language: en-US X-Spamd-Result: default: False [-5.27 / 11.00]; HAS_ORG_HEADER(0.00)[]; TO_DN_ALL(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:60729, ipnet:2a0b:f4c1::/48, country:AT]; MID_RHS_MATCH_FROM(0.00)[]; BAYES_HAM(-3.00)[100.00%]; ARC_NA(0.00)[]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; DKIM_SIGNED(0.00)[]; NEURAL_HAM(-2.17)[-0.725,0]; RCVD_TLS_ALL(0.00)[] Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" If Tor is operating in relay mode, it has to open a lot of outgoing TCP connections. These should be separated from any other outgoing connections, as allowing _all_ outgoing traffic will be unwanted and risky in most cases. Thereof, Tor will be running as a dedicated user (see second patch), allowing usage of user-based IPtables rulesets. Partially fixes #11779. Singed-off-by: Peter Müller --- src/initscripts/packages/tor | 4 ++++ src/initscripts/system/firewall | 4 +++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/initscripts/packages/tor b/src/initscripts/packages/tor index 551538e2f..754a2786f 100644 --- a/src/initscripts/packages/tor +++ b/src/initscripts/packages/tor @@ -21,8 +21,11 @@ function setup_firewall() { # Flush all rules. flush_firewall + # Allow incoming traffic to Tor relay (and directory) port and + # all outgoing TCP connections from Tor user. if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_PORT}" ]; then iptables -A TOR_INPUT -p tcp --dport "${TOR_RELAY_PORT}" -j ACCEPT + iptables -A TOR_OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT fi if [ "${TOR_RELAY_ENABLED}" = "on" -a -n "${TOR_RELAY_DIRPORT}" ] && [ "${TOR_RELAY_DIRPORT}" -ne 0 ]; then @@ -33,6 +36,7 @@ function setup_firewall() { function flush_firewall() { # Flush all rules. iptables -F TOR_INPUT + iptables -F TOR_OUTPUT } case "${1}" in diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index 2739a6834..cb533cc94 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -294,9 +294,11 @@ iptables_init() { iptables -N OVPNINPUT iptables -A INPUT -j OVPNINPUT - # Tor + # Tor (inbound and outbound) iptables -N TOR_INPUT iptables -A INPUT -j TOR_INPUT + iptables -N TOR_OUTPUT + iptables -A OUTPUT -j TOR_OUTPUT # Jump into the actual firewall ruleset. iptables -N INPUTFW From patchwork Tue Mar 12 07:07:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= X-Patchwork-Id: 2147 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id A12E188B018 for ; Mon, 11 Mar 2019 20:08:04 +0000 (GMT) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44J8Kw1hB1z4xv57; Mon, 11 Mar 2019 20:08:04 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1552334884; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references:list-id:list-unsubscribe:list-subscribe:list-post; bh=sJT13aoqY04SkVxxe4DWioFJUTqsS1UFXvyfP6TuCao=; b=MFrVo1K6ZPWWOUNQr+1ymS/6YEKXUvEJfrO6/L+rHq7gHaBjhuhVejdeXL7d6GWmU3xDJN 1wpt47x2eLUJlvQp20hXMUepq6f6qvhBUqB7fvVre5Ijs1vB6xLAW7ApLhx71NdPGSb3GF LiKZzIuNa3jZEO8HZVKj2hZSEsykWraeNfMb+3etFeEzEecOhMonNZ1FNzDV9nxDzL4Iy1 HSULakQOs7MLpV3GWokn7bA/9yu8bzUAJL1hA+PnkSjA/TeUqBAkGAMzxsOpRKqvqmvuMb VZHkRdi4kmDkZVgbVy1b3cuHKw12CF0YKV7ua8GPDh27ruqV9fBP+jfFVd1Vqg== Received: from [127.0.0.1] (unknown [IPv6:2a0b:f4c1::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44J8Kr47Tdz55gQF for ; Mon, 11 Mar 2019 20:07:59 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201801; t=1552334881; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:in-reply-to: references; bh=sJT13aoqY04SkVxxe4DWioFJUTqsS1UFXvyfP6TuCao=; b=r/ktkPfEmxNO+X07uMFo53Cz7tdA7KBDLPOs7BNYqCBh8sF1fBnsuDWJwlXwtvhhZA14V9 LGXsZoHZ4sJhe0fyP0cZG3HlNHKp584MEALPd+An6aUVBWX+G+yPOqU3rLhyHwmbYgiKH2 8bPLbyKdwZ0Y9w6XEcLw3w3FZokhVfEY/Bc+ooasIN8dM2tYPJtP9w8U5L4NVYyRg7u9Gd ph4MboBlGRgZOl1Td1g5RWNMuxMa5gKXt7zk4tBVGyD+wVYlhXImjaETDWU6sBgBLuAgJz 4yDs7sVNuW2LMce2aCZDNcX8Ier1IrAwVIiRr3uolgKD+LrL3jJ8m+4VOWsM+w== To: "IPFire: Development-List" From: =?utf-8?q?Peter_M=C3=BCller?= Subject: [PATCH 2/2] run Tor under dedicated user Organization: IPFire.org Message-ID: <3337d646-c173-ed7f-d04f-46fe92c398cd@ipfire.org> Date: Mon, 11 Mar 2019 20:07:00 +0000 MIME-Version: 1.0 Content-Language: en-US X-Spamd-Result: default: False [-5.27 / 11.00]; ARC_NA(0.00)[]; BAYES_HAM(-3.00)[100.00%]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCPT_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; DKIM_SIGNED(0.00)[]; TO_DN_ALL(0.00)[]; NEURAL_HAM(-2.17)[-0.722,0]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:60729, ipnet:2a0b:f4c1::/48, country:AT]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=pmueller smtp.mailfrom=peter.mueller@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" This allows more-fine granular firewall rules (see first patch for further information). Further, it prevents other services running as "nobody" (Apache, ...) from reading Tor relay keys. Fixes #11779. Signed-off-by: Peter Müller --- lfs/tor | 6 +++--- src/paks/tor/install.sh | 15 ++++++++++++++- 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/lfs/tor b/lfs/tor index 384b1b213..2b0e0903a 100644 --- a/lfs/tor +++ b/lfs/tor @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = tor -PAK_VER = 34 +PAK_VER = 35 DEPS = "" @@ -82,8 +82,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ - --with-tor-user=nobody \ - --with-tor-group=nobody + --with-tor-user=tor \ + --with-tor-group=tor cd $(DIR_APP) && make $(MAKETUNING) cd $(DIR_APP) && make install diff --git a/src/paks/tor/install.sh b/src/paks/tor/install.sh index 31c5fecae..e1ed33331 100644 --- a/src/paks/tor/install.sh +++ b/src/paks/tor/install.sh @@ -17,11 +17,24 @@ # along with IPFire; if not, write to the Free Software # # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # # # -# Copyright (C) 2007 IPFire-Team . # +# Copyright (C) 2007-2019 IPFire-Team . # # # ############################################################################ # . /opt/pakfire/lib/functions.sh + +# Run Tor as dedicated user and make sure user and group exist +if ! getent group tor &>/dev/null; then + groupadd -g 119 tor +fi + +if ! getent passwd tor; then + useradd -u 119 -g tor -d /var/empty -s /bin/false tor + + # Adjust some folder permission for new UID/GID + chown -R tor:tor /var/lib/tor /var/ipfire/tor +fi + extract_files restore_backup ${NAME} start_service --background ${NAME}