Skip to content

GitLab

Trac
Trac

GitLab is used only for code review, issue tracking and project management. Canonical locations for source code are still https://gitweb.torproject.org/ https://git.torproject.org/ and git-rw.torproject.org.

Closed (moved)
Opened by Roger Dingledine@arma

SocksPolicy has no way to refer to AF_UNIX sockets

Imagine you set your torrc to say

SOCKSPort 0.0.0.0:9050 PreferSOCKSNoAuth IsolateSOCKSAuth KeepAliveIsolateSOCKSAuth IsolateClientAddr IPv6Traffic CacheDNS CacheIPv4DNS UseIPv4Cache UseDNSCache
+SOCKSPort unix:/run/tor/socks GroupWritable WorldWritable RelaxDirModeCheck CacheDNS CacheIPv4DNS UseIPv4Cache UseDNSCache
SOCKSPolicy accept 10.0.0.0/8
SOCKSPolicy accept 127.0.0.0/8
SOCKSPolicy accept 169.254.0.0/16
SOCKSPolicy accept 172.0.0.0/8
SOCKSPolicy accept 192.168.0.0/8
SOCKSPolicy accept 192.168.192.0/24
SOCKSPolicy reject *

and then you try to make a connection to your local socks socket. You'll get

[notice] {APP} Denying socks connection from untrusted address AF_UNIX.

I think that happens because of the final "reject *" item in the sockspolicy.

How should this person write "and I want to allow connections to the socks socket too" in their sockspolicy?

A workaround in the meantime was to write "SocksPolicy reject *4" at the end rather than *. But it seems like being able to explicitly refer to AF_UNIX would be a good feature to have. Maybe "SocksPolicy accept unix" is the right syntax?

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information