Bug 218587 - security/tor: transparent proxy doesn't work with default settings
Summary: security/tor: transparent proxy doesn't work with default settings
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Jochen Neumeister
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-12 12:01 UTC by Johannes Jost Meixner
Modified: 2017-06-17 10:56 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (yuri)


Attachments
patch (1.52 KB, patch)
2017-06-15 16:23 UTC, Yuri Victorovich
yuri: maintainer-approval+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Jost Meixner freebsd_committer 2017-04-12 12:01:00 UTC
Current default settings default to running tor as a transparent proxy, and executing tor (via the rc.d script) as _tor:_tor.

This prevents tor from being able to open /dev/pf, and leads to failure

I know of two workarounds, and both of them are quite ugly:

1.
rc.conf values are changed such that
tor_user=root
tor_group=wheel
and corresponding /usr/local/etc/tor/torrc obtains an entry
User _tor,

or

2. /dev/pf ownership is changed (e.g. via devfs settings to be persistent) to _tor:_tor.

The problem with 1) is that the rc.d script will modify ${tor_datadir} such that it cannot be written to by the _tor user.

The problem with 2) is changing ownership of the firewall to an unprivileged user.
Comment 1 Yuri Victorovich freebsd_committer 2017-04-12 19:22:03 UTC
Does 1. actually work for you (with modified rc script)? Starting as root and changing to _tor:_tor later seems like a solution.
Comment 2 Johannes Jost Meixner freebsd_committer 2017-04-13 10:56:23 UTC
Sure does
Comment 3 Johannes Jost Meixner freebsd_committer 2017-05-16 14:39:07 UTC
Can you move this forward please?
Comment 4 Yuri Victorovich freebsd_committer 2017-05-19 16:39:44 UTC
Sorry for the delay.
I will move this once previous patches are committed, bug#219246, in order to avoid conflicts.

Regards,
Yuri
Comment 5 Johannes Jost Meixner freebsd_committer 2017-06-15 07:32:22 UTC
(In reply to Yuri Victorovich from comment #4)
Any progress?
Comment 6 Yuri Victorovich freebsd_committer 2017-06-15 16:23:45 UTC
Created attachment 183502 [details]
patch

Implemented setuid feature.

The user should add tor_setuid=YES to /etc/rc.conf to make tor do setuid in runtime after opening the externally provided files.
Comment 7 commit-hook freebsd_committer 2017-06-17 10:55:49 UTC
A commit references this bug:

Author: joneum
Date: Sat Jun 17 10:54:54 UTC 2017
New revision: 443770
URL: https://svnweb.freebsd.org/changeset/ports/443770

Log:
  - security/tor: Implemented setuid feature
   *The user should add tor_setuid=YES to /etc/rc.conf
    to make tor do setuid in runtime after opening the
    externally provided files.

  PR:		218587
  Submitted by:	xmj
  Approved by:	Yuri Victorovich <yuri at rawbw.com> (maintainer)
  Approved by:	miwi (mentor)
  Differential Revision:	https://reviews.freebsd.org/D11223

Changes:
  head/security/tor/Makefile
  head/security/tor/files/tor.in
Comment 8 Jochen Neumeister freebsd_committer 2017-06-17 10:56:09 UTC
Committed, thanks :-)