From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 27 02:38:30 2021 Received: (at 47155) by debbugs.gnu.org; 27 Mar 2021 06:38:30 +0000 Received: from localhost ([127.0.0.1]:43212 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ2ac-0002OE-DF for submit@debbugs.gnu.org; Sat, 27 Mar 2021 02:38:30 -0400 Received: from mail-40137.protonmail.ch ([185.70.40.137]:45072) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ2aF-0002NL-Ba for 47155@debbugs.gnu.org; Sat, 27 Mar 2021 02:38:29 -0400 Date: Sat, 27 Mar 2021 06:37:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1616827079; bh=QCqxXg930Tup3KSq7nOtIa+NCR6M/jYrXrlrnMpLDbw=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=vNxMx90F2NItkYtJ0EVTZxOXpP/T1Hg4N66omELIhHmnZSXIfVQ6E8TdzxeCJx1br cP0LZV37cWxwPDAv/S5eqYFuXl3ci8K56lgL8MZYzo4Q79q1EaWG6a4SB15WeBti26 wcPAK4XOf4w8tGiLzGN9uSyv/Dce3z3I7n8g+RCA= To: Maxime Devos From: raid5atemyhomework Subject: Re: [bug#47155] [PATCH] gnu: Respect DataDirectoryGroupReadable option of tor. Message-ID: In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no autolearn=disabled version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mailout.protonmail.ch X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 47155 Cc: "47155@debbugs.gnu.org" <47155@debbugs.gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: raid5atemyhomework Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) > > If you reconfigure your OS without restarting the tor service, > > the directory permissions are reset due to the activation code being > > re-run and resetting the directory permissions. > > This change simply does not chmod if the directory already exists. > > I believe it would be more transparent to introduce a > (data-directory-group-readable? #t/#f), with #f as default, > to tor-configuration (adjusting tor-configuration->torrc) > and change the permission bits passed to chmod appropriately. > > (Documentation & reproducible system configuration & one integrated > system (in the software sense) and all that) But really though, the primary reason for this is to use the "cookie" authe= ntication scheme with a control port on 9051. This is supported by most da= emons, as the "control unix socket" (that is currently supported by `contro= l-socket?` option) seems to be relatively new (Tor 0.2.7.1). This requires adding: ControlPort 9051 CookieAuthentication 1 CookieAuthFileGroupReadable 1 DataDirectoryGroupReadable 1 In https://issues.guix.gnu.org/46549 which implements `control-socket?` the= author expressed doubt as to the safety of this mechanism. Looking at the= Tor manpage regarding `ControlPort`: ``` Note: unless you also specify one or more of HashedControlPassword or Cooki= eAuthentication, setting this option will cause Tor to allow any process on= the local host to control it. (Setting both authentication methods means either metho= d is sufficient to authenticate to Tor.) This option is required for many T= or controllers; most use the value of 9051. ``` Basically, this is safe as long as you use *either* `HashedControlPassword`= *or* `CookieAuthentication` *or* both; in the case of `CookieAuthenticatio= n` only users with read access to the cookie file can access it. Nearly ev= ery daemon that needs control access over Tor (usually to set up their own = hidden service using their own privkey) expects `CookieAuthentication` and = reads from `/var/lib/tor/control_auth-_cookie`, which requires that `/var/l= ib/tor` be readable (else it can't look up the filename). It becomes just = as safe as the control-unix-socket option, as that is similarly gated by fi= le permissions. Note in particular that Bitcoin Core supports `ControlPort` and not `Contro= lSocket`, so this is needed for Bitcoin Core support. From what I can see = more daemons support `ControlPort` than `ControlSocket`. Thanks raid5atemyhomework From d9bea7635594654e1e631e4db55422c511f0220a Mon Sep 17 00:00:00 2001 From: raid5atemyhomework Date: Sat, 27 Mar 2021 14:29:31 +0800 Subject: [PATCH] gnu: Add 'control-port?' setting to Tor. * gnu/services/networking.scm (tor-configuration): Add `control-port?` fiel= d. (tor-configuration->torrc): Support `control-port?` field. (tor-activation): Allow group access to data directory if `control-port?`. * doc/guix.texi (Networking Services)[Tor]: Describe new `control-port?` fi= eld. --- doc/guix.texi | 13 +++++++++++++ gnu/services/networking.scm | 24 +++++++++++++++++++++--- 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index c23d044ff5..a9c8f930be 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -87,6 +87,7 @@ Copyright @copyright{} 2020 Daniel Brooks@* Copyright @copyright{} 2020 John Soo@* Copyright @copyright{} 2020 Jonathan Brielmaier@* Copyright @copyright{} 2020 Edgar Vincent@* +Copyright @copyright{} 2021 raid5atemyhomework@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -16676,6 +16677,18 @@ If @code{#t}, Tor will listen for control commands= on the UNIX domain socket @file{/var/run/tor/control-sock}, which will be made writable by members o= f the @code{tor} group. +@item @code{control-port?} (default: @code{#f}) +Whether or not to provide a ``control port'' by which Tor can be controlle= d +to, for instance, dynamically instantiate tor onion services. This is mor= e +commonly supported by Tor controllers than using a UNIX domain socket as +above. If @code{#t}, Tor will listen for authenticated control commands o= ver +the control port 9051. In order to authenticate to this port, Tor control= lers +need to read the cookie file at @file{/var/lib/tor/control_auth_cookie}, w= hich +will be made readable by members of the @code{tor} group. + +This can be set to a number instead, which will make Tor listen for contro= l +commands over the specified port number rather than the default 9051. + @end table @end deftp diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 231a9f66c7..a4fbeaadfe 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -747,7 +747,9 @@ demand."))) (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix (default 'tcp)) (control-socket? tor-control-socket-path - (default #f))) + (default #f)) + (control-port? tor-control-port? + (default #f))) ; #f | #t | number (define %tor-accounts ;; User account and groups for Tor. @@ -770,7 +772,8 @@ demand."))) "Return a 'torrc' file for CONFIG." (match config (($ tor config-file services - socks-socket-type control-socket?) + socks-socket-type control-socket? + control-port?) (computed-file "torrc" (with-imported-modules '((guix build utils)) @@ -795,6 +798,16 @@ UnixSocksGroupWritable 1\n" port)) ControlSocket unix:/var/run/tor/control-sock GroupWritable RelaxDirModeChe= ck ControlSocketsGroupWritable 1\n" port)) + (when #$control-port? + (format port + "\ +ControlPort ~a +CookieAuthentication 1 +CookieAuthFileGroupReadable 1 +DataDirectoryGroupReadable 1\n" + #$(if (eq? control-port? #t) + 9051 + control-port?))) (for-each (match-lambda ((service (ports hosts) ...) @@ -884,7 +897,12 @@ HiddenServicePort ~a ~a~%" ;; Allow Tor to access the hidden services' directories. (mkdir-p "/var/lib/tor") (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user)) - (chmod "/var/lib/tor" #o700) + ;; Allow Tor controllers to access the cookie file if control-port? + ;; By default this is where Tor puts the cookie file, and most Tor + ;; controllers expect this file location (and not on `/var/run/tor`)= . + (chmod "/var/lib/tor" #$(if (tor-control-port? config) + #o750 + #o700)) ;; Make sure /var/lib is accessible to the 'tor' user. (chmod "/var/lib" #o755) -- 2.31.0