Make HiddenServiceDirGroupReadable per-hidden-service

7caf7e9f · meejah · ae18c081 · 7caf7e9f · 7caf7e9f
Commit 7caf7e9f authored Aug 30, 2014 by meejah
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -271,8 +271,8 @@ static config_var_t option_vars_[] = {
  V(AccelDir,                    FILENAME, NULL),
  V(HashedControlPassword,       LINELIST, NULL),
  V(HidServDirectoryV2,          BOOL,     "1"),
-  V(HiddenServiceDirGroupReadable,  BOOL,     "0"),
  VAR("HiddenServiceDir",    LINELIST_S, RendConfigLines,    NULL),
+  VAR("HiddenServiceDirGroupReadable",  LINELIST_S, RendConfigLines, NULL),
  OBSOLETE("HiddenServiceExcludeNodes"),
  OBSOLETE("HiddenServiceNodes"),
  VAR("HiddenServiceOptions",LINELIST_V, RendConfigLines,    NULL),

--- a/src/or/rendservice.c
+++ b/src/or/rendservice.c
@@ -95,6 +95,7 @@ typedef struct rend_service_port_config_t {
 typedef struct rend_service_t {
  /* Fields specified in config file */
  char *directory; /**< where in the filesystem it stores it */
+  int dir_group_readable; /**< if 1, allow group read permissions on directory */
  smartlist_t *ports; /**< List of rend_service_port_config_t */
  rend_auth_type_t auth_type; /**< Client authorization type or 0 if no client
                               * authorization is performed. */
@@ -359,6 +360,7 @@ rend_config_services(const or_options_t *options, int validate_only)
  rend_service_t *service = NULL;
  rend_service_port_config_t *portcfg;
  smartlist_t *old_service_list = NULL;
+  int ok = 0;

  if (!validate_only) {
    old_service_list = rend_service_list;
@@ -393,6 +395,15 @@ rend_config_services(const or_options_t *options, int validate_only)
        return -1;
      }
      smartlist_add(service->ports, portcfg);
+    } else if (!strcasecmp(line->key, "HiddenServiceDirGroupReadable")) {
+        service->dir_group_readable = (int)tor_parse_long(line->value, 10, 0, 1, &ok, NULL);
+        if (!ok) {
+            log_warn(LD_CONFIG, "HiddenServiceDirGroupReadable should be 0 or 1, not %s",
+                     line->value);
+            rend_service_free(service);
+            return -1;
+        }
+        log_info(LD_CONFIG, "HiddenServiceDirGroupReadable=%d for %s", service->dir_group_readable, service->directory);
    } else if (!strcasecmp(line->key, "HiddenServiceAuthorizeClient")) {
      /* Parse auth type and comma-separated list of client names and add a
       * rend_authorized_client_t for each client to the service's list
@@ -696,7 +707,7 @@ rend_service_load_keys(rend_service_t *s)
  char buf[128];
  cpd_check_t  check_opts = CPD_CREATE;

-  if (get_options()->HiddenServiceDirGroupReadable) {
+  if (s->dir_group_readable) {
    check_opts |= CPD_GROUP_READ;
  }
  /* Check/create directory */
@@ -704,7 +715,7 @@ rend_service_load_keys(rend_service_t *s)
    return -1;
  }
 #ifndef _WIN32
-  if (get_options()->HiddenServiceDirGroupReadable) {
+  if (s->dir_group_readable) {
    /* Only new dirs created get new opts, also enforce group read. */
    if (chmod(s->directory, 0750)) {
      log_warn(LD_FS,"Unable to make %s group-readable.", s->directory);
@@ -748,7 +759,7 @@ rend_service_load_keys(rend_service_t *s)
    return -1;
  }
 #ifndef _WIN32
-  if (get_options()->HiddenServiceDirGroupReadable) {
+  if (s->dir_group_readable) {
    /* Also verify hostname file created with group read. */
    if (chmod(fname, 0640)) {
      log_warn(LD_FS,"Unable to make hidden hostname file %s group-readable.", fname);