From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id wJEiFeARX2DbGwAAgWs5BA (envelope-from ) for ; Sat, 27 Mar 2021 12:07:12 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 6F/wDeARX2BMUgAA1q6Kng (envelope-from ) for ; Sat, 27 Mar 2021 11:07:12 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C2D8A1B240 for ; Sat, 27 Mar 2021 12:07:11 +0100 (CET) Received: from localhost ([::1]:38582 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQ6mc-0000j1-Mi for larch@yhetil.org; Sat, 27 Mar 2021 07:07:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58676) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQ6mU-0000ir-9p for guix-patches@gnu.org; Sat, 27 Mar 2021 07:07:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:60174) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lQ6mU-00047l-2G for guix-patches@gnu.org; Sat, 27 Mar 2021 07:07:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lQ6mT-0005Ct-Sr for guix-patches@gnu.org; Sat, 27 Mar 2021 07:07:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47155] [PATCH] gnu: Respect DataDirectoryGroupReadable option of tor. Resent-From: raid5atemyhomework Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 27 Mar 2021 11:07:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47155 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxime Devos Cc: "47155@debbugs.gnu.org" <47155@debbugs.gnu.org> Received: via spool by 47155-submit@debbugs.gnu.org id=B47155.161684321820006 (code B ref 47155); Sat, 27 Mar 2021 11:07:01 +0000 Received: (at 47155) by debbugs.gnu.org; 27 Mar 2021 11:06:58 +0000 Received: from localhost ([127.0.0.1]:43487 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ6mP-0005Cb-FE for submit@debbugs.gnu.org; Sat, 27 Mar 2021 07:06:57 -0400 Received: from mail4.protonmail.ch ([185.70.40.27]:62407) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ6mM-0005CM-V8 for 47155@debbugs.gnu.org; Sat, 27 Mar 2021 07:06:56 -0400 Date: Sat, 27 Mar 2021 11:06:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1616843207; bh=yxSF17ouXL6N71U9mxCLv6AgIKb0xeD9f4U8jyPxrVw=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=e9oZoxjYDLHTZPaPo/KkSxsAbjDd0c67M1tQZQC+ERXLQ1qMn6e7Ayw5gTOG11Uh+ +FajCHgzoI7eZIseHCJQyPAGA593m7dUxgrPDkWnm86305pJM812meHc+frElFqw3M ZIZ2pMIMpRJtJv+jC5afKTR/sWDc/nn+uLBvyqbQ= Message-ID: In-Reply-To: <2385f734152be7ed5351bc07dcc7d77e5f22efd0.camel@telenet.be> References: <2385f734152be7ed5351bc07dcc7d77e5f22efd0.camel@telenet.be> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: raid5atemyhomework X-ACL-Warn: , raid5atemyhomework via Guix-patches From: raid5atemyhomework via Guix-patches via X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616843232; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=yxSF17ouXL6N71U9mxCLv6AgIKb0xeD9f4U8jyPxrVw=; b=rJQqEsHoWI+dvrwO7gR0v6ty7ECHPJM+wgcF9n0t1C8QFHYjTcfxt4ZF35JFniNsY9RMLR sXHCQB0uhPmdALEHHPI6GZ1GteeUeBpgoozzDmsGcfeeIb9p3E3CMU7bnYRH+lHTAPw3M0 eIm0EY23XeeP3gB4dX2n/K6t2lTIJCKuYZIC2IqubPw1j4+z18hF67GhB14YTBYbIYsG8q PH+MfyzPI1jmqPT1gqzyupU7K/tFG8AOlV0kxOvSDeiFue4zHbPf04ko4qxWofOgkJZ9Nx eHkYaHTWRM68m1ETiGCocAyHcUDW4RIGKtcWDe6iD4chxoFWCkBa/xYEX5IQsQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616843232; a=rsa-sha256; cv=none; b=DdNhczTkx2KRDd8UY95lOXYF3Y3tjb0LXlK12R9CxNSc06cwZZlZ+xx2r09EzU83hHj4Wf DkPelEuQ8PvFMADoRXfJ3aVQdfNb5vGzTgms41ygN+F9M2dNNX8wh0HieEHNaqD74mCiV9 nPC6dVQh86ElUhannUZxA0kBWq48HR+mncKNGdKNyR6HD9yLjxfotVVOFUfbl3CvxrPpWC x2u0qlSeHJeXiJ9j1EuiEkKScLAhG6gL8e8DKvRLE0VyjFv+LNT+2szJvdDUlQ9PBr316w vLXrEXe0eiWEaBvpKvspsoPm/jAzpIma9uH0l5dzj2wL9ch93FD09DHspWKBkw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail header.b=e9oZoxjY; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -1.42 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail header.b=e9oZoxjY; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: C2D8A1B240 X-Spam-Score: -1.42 X-Migadu-Scanner: scn0.migadu.com X-TUID: DQKwMa7VePg+ Hello Maxime, > > Note in particular that Bitcoin Core supports `ControlPort` and not `Co= ntrolSocket`, so > > this is needed for Bitcoin Core support. From what I can see more daemo= ns support > > `ControlPort` than `ControlSocket`. > > Ok, but take a look at > https://gitlab.torproject.org/legacy/trac/-/wikis/doc/bitcoin. > Maybe its out of date though: https://blog.torproject.org/tor-heart-crypt= ocurrencies The issue is already known, and is mitigated by use of e.g. JoinMarket and = Wasabi Wallet, when used with proper care to disentangle public coin addres= ses from your own spending. In my particular case, use of Tor is not for pseudonymity (though if you wa= nt I can provide a coin address for Bitcoin and you can try donating to it = and see if you can track me using the described technique, so you can try s= eeing if it actually works against an expert user of Bitcoin), but rather a= s a replacement for my lack of a public IP address --- instead of using a p= ublic IP address (which my ISP is much too stupid to provide to me unless I= get a ***much*** higher tier of paid support) I use a Tor hidden service t= o allow other users to connect to my node. > > Thanks > > raid5atemyhomework > > From d9bea7635594654e1e631e4db55422c511f0220a Mon Sep 17 00:00:00 2001 > > From: raid5atemyhomework raid5atemyhomework@protonmail.com > > Date: Sat, 27 Mar 2021 14:29:31 +0800 > > Subject: [PATCH] gnu: Add 'control-port?' setting to Tor. > > > > - gnu/services/networking.scm (tor-configuration): Add `control-port?= ` field. > > (tor-configuration->torrc): Support `control-port?` field. > > (tor-activation): Allow group access to data directory if `control-= port?`. > > > > - doc/guix.texi (Networking Services)[Tor]: Describe new `control-por= t?` field. > > Usually we`quote', 'quote', "quote" or =E2=80=98quote=E2=80=99, but never= `quote`. > I recommend 'quote', as in > > commit 43937666ba6975b6c847be8e67cecd781ce27049 > Author: Ludovic Court=C3=A8s ludo@gnu.org > Date: Fri Mar 19 14:23:57 2021 +0100 > > download: 'tls-wrap' treats premature TLS termination as EOF. > > This is a backport of Guile commit > 076276c4f580368b4106316a77752d69c8f1494a. > > * guix/build/download.scm (tls-wrap)[read!]: Wrap 'get-bytevector-n!' > call in 'catch' and handle 'error/premature-termination' GnuTLS errors. Okay. Thaks raid5atemyhomework >From d9bea7635594654e1e631e4db55422c511f0220a Mon Sep 17 00:00:00 2001 From: raid5atemyhomework Date: Sat, 27 Mar 2021 14:29:31 +0800 Subject: [PATCH] gnu: Add 'control-port?' setting to Tor. * gnu/services/networking.scm (tor-configuration): Add 'control-port?' fiel= d. (tor-configuration->torrc): Support 'control-port?' field. (tor-activation): Allow group access to data directory if 'control-port?'. * doc/guix.texi (Networking Services)[Tor]: Describe new 'control-port?' fi= eld. --- doc/guix.texi | 13 +++++++++++++ gnu/services/networking.scm | 24 +++++++++++++++++++++--- 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index c23d044ff5..a9c8f930be 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -87,6 +87,7 @@ Copyright @copyright{} 2020 Daniel Brooks@* Copyright @copyright{} 2020 John Soo@* Copyright @copyright{} 2020 Jonathan Brielmaier@* Copyright @copyright{} 2020 Edgar Vincent@* +Copyright @copyright{} 2021 raid5atemyhomework@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -16676,6 +16677,18 @@ If @code{#t}, Tor will listen for control commands= on the UNIX domain socket @file{/var/run/tor/control-sock}, which will be made writable by members o= f the @code{tor} group. +@item @code{control-port?} (default: @code{#f}) +Whether or not to provide a ``control port'' by which Tor can be controlle= d +to, for instance, dynamically instantiate tor onion services. This is mor= e +commonly supported by Tor controllers than using a UNIX domain socket as +above. If @code{#t}, Tor will listen for authenticated control commands o= ver +the control port 9051. In order to authenticate to this port, Tor control= lers +need to read the cookie file at @file{/var/lib/tor/control_auth_cookie}, w= hich +will be made readable by members of the @code{tor} group. + +This can be set to a number instead, which will make Tor listen for contro= l +commands over the specified port number. + @end table @end deftp diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 231a9f66c7..a4fbeaadfe 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -747,7 +747,9 @@ demand."))) (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix (default 'tcp)) (control-socket? tor-control-socket-path - (default #f))) + (default #f)) + (control-port? tor-control-port? + (default #f))) ; #f | #t | number (define %tor-accounts ;; User account and groups for Tor. @@ -770,7 +772,8 @@ demand."))) "Return a 'torrc' file for CONFIG." (match config (($ tor config-file services - socks-socket-type control-socket?) + socks-socket-type control-socket? + control-port?) (computed-file "torrc" (with-imported-modules '((guix build utils)) @@ -795,6 +798,16 @@ UnixSocksGroupWritable 1\n" port)) ControlSocket unix:/var/run/tor/control-sock GroupWritable RelaxDirModeChe= ck ControlSocketsGroupWritable 1\n" port)) + (when #$control-port? + (format port + "\ +ControlPort ~a +CookieAuthentication 1 +CookieAuthFileGroupReadable 1 +DataDirectoryGroupReadable 1\n" + #$(if (eq? control-port? #t) + 9051 + control-port?))) (for-each (match-lambda ((service (ports hosts) ...) @@ -884,7 +897,12 @@ HiddenServicePort ~a ~a~%" ;; Allow Tor to access the hidden services' directories. (mkdir-p "/var/lib/tor") (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user)) - (chmod "/var/lib/tor" #o700) + ;; Allow Tor controllers to access the cookie file if control-port? + ;; By default this is where Tor puts the cookie file, and most Tor + ;; controllers expect this file location (and not on `/var/run/tor`)= . + (chmod "/var/lib/tor" #$(if (tor-control-port? config) + #o750 + #o700)) ;; Make sure /var/lib is accessible to the 'tor' user. (chmod "/var/lib" #o755) -- 2.31.0