From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id mEOOMRPTXmAzNAEAgWs5BA (envelope-from ) for ; Sat, 27 Mar 2021 07:39:15 +0100 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id PSE6LBPTXmDpIQAAbx9fmQ (envelope-from ) for ; Sat, 27 Mar 2021 06:39:15 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1EDF317173 for ; Sat, 27 Mar 2021 07:39:15 +0100 (CET) Received: from localhost ([::1]:35966 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQ2bK-0001uz-6y for larch@yhetil.org; Sat, 27 Mar 2021 02:39:14 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:38998) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQ2b8-0001ud-3W for guix-patches@gnu.org; Sat, 27 Mar 2021 02:39:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59899) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lQ2b7-0004in-Qb for guix-patches@gnu.org; Sat, 27 Mar 2021 02:39:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lQ2b7-0002Oy-Mb for guix-patches@gnu.org; Sat, 27 Mar 2021 02:39:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47155] [PATCH] gnu: Respect DataDirectoryGroupReadable option of tor. Resent-From: raid5atemyhomework Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 27 Mar 2021 06:39:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47155 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxime Devos Cc: "47155@debbugs.gnu.org" <47155@debbugs.gnu.org> Received: via spool by 47155-submit@debbugs.gnu.org id=B47155.16168271109196 (code B ref 47155); Sat, 27 Mar 2021 06:39:01 +0000 Received: (at 47155) by debbugs.gnu.org; 27 Mar 2021 06:38:30 +0000 Received: from localhost ([127.0.0.1]:43212 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ2ac-0002OE-DF for submit@debbugs.gnu.org; Sat, 27 Mar 2021 02:38:30 -0400 Received: from mail-40137.protonmail.ch ([185.70.40.137]:45072) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ2aF-0002NL-Ba for 47155@debbugs.gnu.org; Sat, 27 Mar 2021 02:38:29 -0400 Date: Sat, 27 Mar 2021 06:37:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1616827079; bh=QCqxXg930Tup3KSq7nOtIa+NCR6M/jYrXrlrnMpLDbw=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=vNxMx90F2NItkYtJ0EVTZxOXpP/T1Hg4N66omELIhHmnZSXIfVQ6E8TdzxeCJx1br cP0LZV37cWxwPDAv/S5eqYFuXl3ci8K56lgL8MZYzo4Q79q1EaWG6a4SB15WeBti26 wcPAK4XOf4w8tGiLzGN9uSyv/Dce3z3I7n8g+RCA= Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: raid5atemyhomework X-ACL-Warn: , raid5atemyhomework via Guix-patches From: raid5atemyhomework via Guix-patches via X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616827155; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=QCqxXg930Tup3KSq7nOtIa+NCR6M/jYrXrlrnMpLDbw=; b=pWZRRa3VB5c0rbx4ZmxieHNifef+2PgoZMz77NcVkzs8cU9Xtp6gqr+XQ1wlD88T1JJwTo 87cUVBHqRZ1C4tV6/k1iCGaod+RZZuXIpz1sPr4qhmEe0PZUWRtASpj+PTbCt5DWwDRIXs wX5x5AwCZb01lnsLCi1mj/AtyD8+HVWdlfSE0bL7yHvOLItRvCi1spqsdjihp6PigHAxYI E+CUwVJgJF7AnXQs/VRU7S/UiN5TAhPkNlf4sQ86mwWgctNCR6d0FB26qYQoU3oMrOLWqV iUhQxjAp2k5nLxZcq3GFTUrxiB7ddkUV6jI62y4zJ9TQt7bT+1NyykG6cOdaXw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616827155; a=rsa-sha256; cv=none; b=PsgEq2lmTHRpqE/Wh3Y965a6eaBvC7RVK+Yr4Lm1aLcBXXHUZ37Kw+NZZUonjyF/v5A4sg H/AEYBkYQfk2hBGyStGKL2yebcQKavch0yOZjzWa1TOuRPOeW0j07ilSU5e2rUuGSiBMsh SbOxzTFQG1UTfl9w0U1VwSKpC2MDJvYzrmacbnVK2qCf7OhfbOXomCcwjcvRYvtLO0uR2t /0VKRBhPzDRWexTN/K5QmKQU1/Z2dNt4EfzfjlW/hQGDvDZjwJVVSJiPx3a1g4BMhg6RdX uNW6dJwANgE2UbVx3+3KEmmUtvverxrrKoAnc0nm3SgDl+LbyvMJRvObvRA8WQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail header.b=vNxMx90F; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.92 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail header.b=vNxMx90F; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 1EDF317173 X-Spam-Score: -2.92 X-Migadu-Scanner: scn0.migadu.com X-TUID: q/TbvUuzKYtS > > If you reconfigure your OS without restarting the tor service, > > the directory permissions are reset due to the activation code being > > re-run and resetting the directory permissions. > > This change simply does not chmod if the directory already exists. > > I believe it would be more transparent to introduce a > (data-directory-group-readable? #t/#f), with #f as default, > to tor-configuration (adjusting tor-configuration->torrc) > and change the permission bits passed to chmod appropriately. > > (Documentation & reproducible system configuration & one integrated > system (in the software sense) and all that) But really though, the primary reason for this is to use the "cookie" authe= ntication scheme with a control port on 9051. This is supported by most da= emons, as the "control unix socket" (that is currently supported by `contro= l-socket?` option) seems to be relatively new (Tor 0.2.7.1). This requires adding: ControlPort 9051 CookieAuthentication 1 CookieAuthFileGroupReadable 1 DataDirectoryGroupReadable 1 In https://issues.guix.gnu.org/46549 which implements `control-socket?` the= author expressed doubt as to the safety of this mechanism. Looking at the= Tor manpage regarding `ControlPort`: ``` Note: unless you also specify one or more of HashedControlPassword or Cooki= eAuthentication, setting this option will cause Tor to allow any process on= the local host to control it. (Setting both authentication methods means either metho= d is sufficient to authenticate to Tor.) This option is required for many T= or controllers; most use the value of 9051. ``` Basically, this is safe as long as you use *either* `HashedControlPassword`= *or* `CookieAuthentication` *or* both; in the case of `CookieAuthenticatio= n` only users with read access to the cookie file can access it. Nearly ev= ery daemon that needs control access over Tor (usually to set up their own = hidden service using their own privkey) expects `CookieAuthentication` and = reads from `/var/lib/tor/control_auth-_cookie`, which requires that `/var/l= ib/tor` be readable (else it can't look up the filename). It becomes just = as safe as the control-unix-socket option, as that is similarly gated by fi= le permissions. Note in particular that Bitcoin Core supports `ControlPort` and not `Contro= lSocket`, so this is needed for Bitcoin Core support. From what I can see = more daemons support `ControlPort` than `ControlSocket`. Thanks raid5atemyhomework >From d9bea7635594654e1e631e4db55422c511f0220a Mon Sep 17 00:00:00 2001 From: raid5atemyhomework Date: Sat, 27 Mar 2021 14:29:31 +0800 Subject: [PATCH] gnu: Add 'control-port?' setting to Tor. * gnu/services/networking.scm (tor-configuration): Add `control-port?` fiel= d. (tor-configuration->torrc): Support `control-port?` field. (tor-activation): Allow group access to data directory if `control-port?`. * doc/guix.texi (Networking Services)[Tor]: Describe new `control-port?` fi= eld. --- doc/guix.texi | 13 +++++++++++++ gnu/services/networking.scm | 24 +++++++++++++++++++++--- 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index c23d044ff5..a9c8f930be 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -87,6 +87,7 @@ Copyright @copyright{} 2020 Daniel Brooks@* Copyright @copyright{} 2020 John Soo@* Copyright @copyright{} 2020 Jonathan Brielmaier@* Copyright @copyright{} 2020 Edgar Vincent@* +Copyright @copyright{} 2021 raid5atemyhomework@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -16676,6 +16677,18 @@ If @code{#t}, Tor will listen for control commands= on the UNIX domain socket @file{/var/run/tor/control-sock}, which will be made writable by members o= f the @code{tor} group. +@item @code{control-port?} (default: @code{#f}) +Whether or not to provide a ``control port'' by which Tor can be controlle= d +to, for instance, dynamically instantiate tor onion services. This is mor= e +commonly supported by Tor controllers than using a UNIX domain socket as +above. If @code{#t}, Tor will listen for authenticated control commands o= ver +the control port 9051. In order to authenticate to this port, Tor control= lers +need to read the cookie file at @file{/var/lib/tor/control_auth_cookie}, w= hich +will be made readable by members of the @code{tor} group. + +This can be set to a number instead, which will make Tor listen for contro= l +commands over the specified port number rather than the default 9051. + @end table @end deftp diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 231a9f66c7..a4fbeaadfe 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -747,7 +747,9 @@ demand."))) (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix (default 'tcp)) (control-socket? tor-control-socket-path - (default #f))) + (default #f)) + (control-port? tor-control-port? + (default #f))) ; #f | #t | number (define %tor-accounts ;; User account and groups for Tor. @@ -770,7 +772,8 @@ demand."))) "Return a 'torrc' file for CONFIG." (match config (($ tor config-file services - socks-socket-type control-socket?) + socks-socket-type control-socket? + control-port?) (computed-file "torrc" (with-imported-modules '((guix build utils)) @@ -795,6 +798,16 @@ UnixSocksGroupWritable 1\n" port)) ControlSocket unix:/var/run/tor/control-sock GroupWritable RelaxDirModeChe= ck ControlSocketsGroupWritable 1\n" port)) + (when #$control-port? + (format port + "\ +ControlPort ~a +CookieAuthentication 1 +CookieAuthFileGroupReadable 1 +DataDirectoryGroupReadable 1\n" + #$(if (eq? control-port? #t) + 9051 + control-port?))) (for-each (match-lambda ((service (ports hosts) ...) @@ -884,7 +897,12 @@ HiddenServicePort ~a ~a~%" ;; Allow Tor to access the hidden services' directories. (mkdir-p "/var/lib/tor") (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user)) - (chmod "/var/lib/tor" #o700) + ;; Allow Tor controllers to access the cookie file if control-port? + ;; By default this is where Tor puts the cookie file, and most Tor + ;; controllers expect this file location (and not on `/var/run/tor`)= . + (chmod "/var/lib/tor" #$(if (tor-control-port? config) + #o750 + #o700)) ;; Make sure /var/lib is accessible to the 'tor' user. (chmod "/var/lib" #o755) -- 2.31.0