Commit 204374f7 authored by Nick Mathewson's avatar Nick Mathewson 👁
Browse files

Remove SocksSocket; it's now spelled differently thanks to 14451

Also, revise bug12585 changes file to mention new syntax
parent ebc59092
o Major features (security)
- Implementation of SocksSocket option - SocksSocket implements a SOCKS
- Implementation of an AF_UNIX socket option to implement a SOCKS
proxy reachable by Unix Domain Socket. This allows client applications to
communicate with Tor without having the ability to create AF_INET or
AF_INET6 family sockets. If an application has permission to create a socket
with AF_UNIX, it may directly communicate with Tor as if it were an other
SOCKS proxy. This should allow high risk applications to be entirely prevented
from connecting directly with TCP/IP, they will be able to only connect to the
internet through AF_UNIX and only through Tor. Closes ticket 12585.
internet through AF_UNIX and only through Tor.
To create a socket of this type, use the syntax "unix:/path/to/socket".
Closes ticket 12585.
......@@ -483,10 +483,6 @@ GENERAL OPTIONS
in accordance to RFC 1929. Both username and password must be between 1 and
255 characters.
[[SocksSocket]] **SocksSocket** __Path__ [_flags_] [_isolation flags_]::
Like SocksPort, but listens on a Unix domain socket, rather than a TCP
socket. '0' disables SocksSocket (Unix and Unix-like systems only.)
[[SocksSocketsGroupWritable]] **SocksSocketsGroupWritable** **0**|**1**::
If this option is set to 0, don't allow the filesystem group to read and
write unix sockets (e.g. SocksSocket). If the option is set to 1, make
......
......@@ -69,7 +69,7 @@
extern int quiet_level;
/* Prefix used to indicate a Unix socket in a FooPort configuration. */
static const char *unix_socket_prefix = "unix:";
static const char unix_socket_prefix[] = "unix:";
/** A list of abbreviations and aliases to map command-line options, obsolete
* option names, or alternative option names, to their current values. */
......@@ -203,7 +203,6 @@ static config_var_t option_vars_[] = {
V(ControlPortWriteToFile, FILENAME, NULL),
V(ControlSocket, LINELIST, NULL),
V(ControlSocketsGroupWritable, BOOL, "0"),
V(SocksSocket, LINELIST, NULL),
V(SocksSocketsGroupWritable, BOOL, "0"),
V(CookieAuthentication, BOOL, "0"),
V(CookieAuthFileGroupReadable, BOOL, "0"),
......@@ -1053,20 +1052,6 @@ options_act_reversible(const or_options_t *old_options, char **msg)
}
#endif
#ifndef HAVE_SYS_UN_H
if (options->SocksSocket || options->SocksSocketsGroupWritable) {
*msg = tor_strdup("Unix domain sockets (SocksSocket) not supported "
"on this OS/with this build.");
goto rollback;
}
#else
if (options->SocksSocketsGroupWritable && !options->SocksSocket) {
*msg = tor_strdup("Setting SocksSocketGroupWritable without setting"
"a SocksSocket makes no sense.");
goto rollback;
}
#endif
if (running_tor) {
int n_ports=0;
/* We need to set the connection limit before we can open the listeners. */
......@@ -5656,6 +5641,14 @@ config_parse_unix_port(const char *addrport, char **path_out)
int
config_parse_unix_port(const char *addrport, char **path_out)
{
tor_assert(path_out);
tor_assert(addrport);
if (strcmpstart(addrport, unix_socket_prefix)) {
/* Not a Unix socket path. */
return -ENOENT;
}
log_warn(LD_CONFIG,
"Port configuration %s is for an AF_UNIX socket, but we have no"
"support available on this platform",
......@@ -6218,13 +6211,6 @@ parse_ports(or_options_t *options, int validate_only,
*msg = tor_strdup("Invalid ControlSocket configuration");
goto err;
}
if (parse_port_config(ports, options->SocksSocket, NULL,
"SocksSocket",
CONN_TYPE_AP_LISTENER, NULL, 0,
CL_PORT_IS_UNIXSOCKET) < 0) {
*msg = tor_strdup("Invalid SocksSocket configuration");
goto err;
}
}
if (! options->ClientOnly) {
if (parse_port_config(ports,
......@@ -6268,8 +6254,6 @@ parse_ports(or_options_t *options, int validate_only,
!! count_real_listeners(ports, CONN_TYPE_OR_LISTENER);
options->SocksPort_set =
!! count_real_listeners(ports, CONN_TYPE_AP_LISTENER);
options->SocksSocket_set =
!! count_real_listeners(ports, CONN_TYPE_AP_LISTENER);
options->TransPort_set =
!! count_real_listeners(ports, CONN_TYPE_AP_TRANS_LISTENER);
options->NATDPort_set =
......
......@@ -1496,7 +1496,7 @@ connection_handle_listener_read(connection_t *conn, int new_type)
if (new_type == CONN_TYPE_AP && conn->socket_family == AF_UNIX) {
newconn->port = 0;
newconn->address = tor_strdup(conn->address);
log_info(LD_NET, "New SOCKS SocksSocket connection opened");
log_info(LD_NET, "New SOCKS AF_UNIX connection opened");
}
if (new_type == CONN_TYPE_CONTROL) {
log_notice(LD_CONTROL, "New control connection opened from %s.",
......
......@@ -3463,9 +3463,6 @@ typedef struct {
* for control connections. */
int ControlSocketsGroupWritable; /**< Boolean: Are control sockets g+rw? */
config_line_t *SocksSocket; /**< List of Unix Domain Sockets to listen on
* for SOCKS connections. */
int SocksSocketsGroupWritable; /**< Boolean: Are SOCKS sockets g+rw? */
/** Ports to listen on for directory connections. */
config_line_t *DirPort_lines;
......@@ -3489,7 +3486,6 @@ typedef struct {
*/
unsigned int ORPort_set : 1;
unsigned int SocksPort_set : 1;
unsigned int SocksSocket_set : 1;
unsigned int TransPort_set : 1;
unsigned int NATDPort_set : 1;
unsigned int ControlPort_set : 1;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment