'Re: [PATCH] Tor: fix permissions of /var/ipfire/tor/torrc after installation'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfire-development
Subject:    Re: [PATCH] Tor: fix permissions of /var/ipfire/tor/torrc after installation
From:       Michael Tremer <michael.tremer () ipfire ! org>
Date:       2019-10-30 10:41:38
Message-ID: 9B5B66C2-7528-4F5D-BD29-0DA5F812F5E6 () ipfire ! org
[Download RAW message or body]

Hi,

> On 29 Oct 2019, at 18:37, peter.mueller@ipfire.org wrote:
> 
> Fixes #12220
> 
> Reported-by: Michael Tremer <michael.tremer@ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
> ---
> lfs/tor                 | 2 +-
> src/paks/tor/install.sh | 8 ++++----
> 2 files changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/lfs/tor b/lfs/tor
> index ea07f6ce2..178f84be9 100644
> --- a/lfs/tor
> +++ b/lfs/tor
> @@ -32,7 +32,7 @@ DL_FROM    = $(URL_IPFIRE)
> DIR_APP    = $(DIR_SRC)/$(THISAPP)
> TARGET     = $(DIR_INFO)/$(THISAPP)
> PROG       = tor
> -PAK_VER    = 43
> +PAK_VER    = 44
> 
> DEPS       = "libseccomp"
> 
> diff --git a/src/paks/tor/install.sh b/src/paks/tor/install.sh
> index 4d0353155..369b65f71 100644
> --- a/src/paks/tor/install.sh
> +++ b/src/paks/tor/install.sh
> @@ -36,10 +36,10 @@ extract_files
> restore_backup ${NAME}
> 
> # Adjust some folder permission for new UID/GID
> -chown -R tor:tor /var/lib/tor /var/ipfire/tor
> +chown -R tor:tor /var/lib/tor
> +chown -R tor:nobody /var/ipfire/tor
> 
> -# Tor settings file needs to be writeable by nobody group for WebUI
> -chown tor:nobody /var/ipfire/tor/settings
> -chmod 664 /var/ipfire/tor/settings
> +# Tor settings files needs to be writeable by nobody group for WebUI
> +chmod 664 /var/ipfire/tor/{settings,torrc}

There was no problem with the settings file here before. That was writable by the web \
UI, but they have just not been written to torrc.

I would question if we need to have write permissions for the tor user to the \
settings file.

Should it not be the other way around where the file is being owned by nobody, and \
tor can read it? Why does tor need to modify its own configuration file?

Best,
-Michael

> 
> start_service --background ${NAME}
> -- 
> 2.16.4


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic