Patch: Open /dev/pf before dropping privileges with TransPort
Currently, when using TransPort and OpenBSD pf, Tor opens /dev/pf after dropping privileges, so the permissions on /dev/pf must be modified to allow access to the unprivileged Tor user.
The patch should ensure that /dev/pf is opened while Tor is still running as root.
Note: diff is to trunk
Index: src/or/config.c
--- src/or/config.c (revision 16230) +++ src/or/config.c (working copy) @@ -1060,6 +1060,16 @@ } }
+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
- /* Open /dev/pf before dropping privileges. */
- if (options->TransPort) {
- if (get_pf_socket() < 0) {
-
*msg = tor_strdup("Unable to open /dev/pf for transparent proxy.");
-
goto rollback;
- }
- } +#endif
- /* Setuid/setgid as appropriate / if (options->User || options->Group) { / XXXX021 We should only do this the first time through, not on Index: src/or/connection_edge.c =================================================================== --- src/or/connection_edge.c (revision 16230) +++ src/or/connection_edge.c (working copy) @@ -1641,8 +1641,7 @@
#ifdef TRANS_PF static int pf_socket = -1; -static int -get_pf_socket(void) +int get_pf_socket(void) { int pf; /* Ideally, this should be opened before dropping privs. */ Index: src/or/or.h
--- src/or/or.h (revision 16230) +++ src/or/or.h (working copy) @@ -2939,6 +2939,10 @@ } hostname_type_t; hostname_type_t parse_extended_hostname(char *address);
+#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H) +int get_pf_socket(void); +#endif + /********************************* connection_or.c ***************************/
void connection_or_remove_from_identity_map(or_connection_t *conn);
[Automatically added by flyspray2trac: Operating System: All]
Trac:
Username: loafier