* bug#57222: Guix Tor service needs a little more authority
@ 2022-08-15 11:15 Tobias Geerinckx-Rice via Bug reports for GNU Guix
0 siblings, 0 replies; only message in thread
From: Tobias Geerinckx-Rice via Bug reports for GNU Guix @ 2022-08-15 11:15 UTC (permalink / raw)
To: 57222
[-- Attachment #1: Type: text/plain, Size: 924 bytes --]
Hi all,
I recently found my Tor nodes dead, unable to bind to their port
with a confusing ‘permission denied’ error.
This was caused by a regression in Guix's Tor service: it now uses
‘least-authority-wrapper’, meaning that it… well, hasn't the
authority to bind to all ports. Oops.
Even today, (some, well-known) low ports are firewalled/flagged
noticeably less than higher ones. Thankfully, DPI isn't the norm
yet.
Reverting commit fb868cd7794f15e21298e5bdea996fbf0dad17ca fixes
this.
Our service wasn't insecure before: Tor expects to be started as
root and drop privileges through the torrc ‘User’ directive, not
the way Guix now does it through namespaces.
Still, I'll take a stab at relaxing the service's POLA parameters
to allow this, hoping to get the best of both worlds, but this is
new territory to me. Maybe that's not possible.
Kind regards,
T G-R
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 247 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-08-15 11:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-08-15 11:15 bug#57222: Guix Tor service needs a little more authority Tobias Geerinckx-Rice via Bug reports for GNU Guix
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.