Bug#862993: tor: Does not start with AppArmor enabled and hidden service directory owned by non-root

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Bug#862993: tor: Does not start with AppArmor enabled and hidden service directory owned by non-root

intrigeri-4
Package: tor
Version: 0.3.0.7-1
Severity: normal

I see this:

systemd[1]: Starting Anonymizing overlay network for TCP...
tor[25760]: May 19 19:42:30.363 [notice] Tor 0.3.0.7 (git-4e55cb9db769b11c) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0e and Zlib 1.2
tor[25760]: May 19 19:42:30.363 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download
tor[25760]: May 19 19:42:30.364 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
tor[25760]: May 19 19:42:30.364 [notice] Read configuration file "/etc/tor/torrc".
tor[25760]: Configuration was valid
tor[25763]: May 19 19:42:30.557 [notice] Tor 0.3.0.7 (git-4e55cb9db769b11c) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0e and Zlib 1.2
tor[25763]: May 19 19:42:30.557 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download
tor[25763]: May 19 19:42:30.557 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
tor[25763]: May 19 19:42:30.557 [notice] Read configuration file "/etc/tor/torrc".
tor[25763]: May 19 19:42:30.560 [warn] Directory /var/lib/tor/hidden_service_onioncat cannot be read: Permission denied
tor[25763]: May 19 19:42:30.560 [warn] Checking service directory /var/lib/tor/hidden_service_onioncat failed.
tor[25763]: May 19 19:42:30.560 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
tor[25763]: May 19 19:42:30.560 [err] Reading config failed--see warnings above.
systemd[1]: [hidden email]: Main process exited, code=exited, status=1/FAILURE

Adding this line:

  capability dac_read_search,

… to the AppArmor profile fixed this problem.

/var/lib/tor/hidden_service_onioncat is only readable by debian-tor;
I suspect that Tor might try to access it as root before changing uid.

Cheers,
--
intrigeri

Reply | Threaded
Open this post in threaded view
|

Bug#862993: tor: Does not start with AppArmor enabled and hidden service directory owned by non-root

Roger Dingledine
On Fri, May 19, 2017 at 08:11:44PM +0200, [hidden email] wrote:
> tor[25760]: May 19 19:42:30.363 [notice] Tor 0.3.0.7 (git-4e55cb9db769b11c) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0e and Zlib 1.2
[...]
> /var/lib/tor/hidden_service_onioncat is only readable by debian-tor;
> I suspect that Tor might try to access it as root before changing uid.

Hi Intrigeri,

Thanks for the report! I think your guess is right. That means
there's an underlying bug in Tor that we should fix.

Can you tell us if this bug is present with Tor 0.2.9.x as well,
i.e. it's a regression? Or is it a new problem in 0.3.0.x?

Thanks!
--Roger

Reply | Threaded
Open this post in threaded view
|

Bug#862993: tor: Does not start with AppArmor enabled and hidden service directory owned by non-root

intrigeri-4
> Can you tell us if this bug is present with Tor 0.2.9.x as well,
> i.e. it's a regression? Or is it a new problem in 0.3.0.x?

It's a regression.

It might be caused by:

  * Replace CAP_DAC_OVERRIDE with CAP_DAC_READ_SEARCH in systemd's service
    capability bounding set.  Read access is sufficient for Tor (as root on
    startup) to check its onion service directories (see #847598).

Reply | Threaded
Open this post in threaded view
|

Bug#862993: tor: Does not start with AppArmor enabled and hidden service directory owned by non-root

intrigeri-4
In reply to this post by intrigeri-4
Control: tag -1 + patch

[hidden email]:
> Adding this line:

>   capability dac_read_search,

> … to the AppArmor profile fixed this problem.

And once this is done, according to my tests we can remove "capability
dac_override", as expected.

Please consider applying (git am) the attached commit.

Cheers,
--
intrigeri


0001-AppArmor-allow-dac_read_search-capability-instead-of.patch (941 bytes) Download Attachment