Restore functionality for CookieAuthFileGroupReadable.

When we merged the cookieauthfile creation logic in 33c3e60a37, we
accidentally took out this feature.  Fixes bug 12864, bugfix on
0.2.5.1-alpha.

Also adds an ExtORPortCookieAuthFileGroupReadable, since there's no
reason not to.
This commit is contained in:
Nick Mathewson 2014-08-15 08:30:44 -04:00
parent d443658fad
commit 0808ed83f9
7 changed files with 29 additions and 2 deletions

7
changes/bug12864 Normal file
View File

@ -0,0 +1,7 @@
o Minor bugfixes:
- Restore the functionality of CookieAuthFileGroupReadable. Fixes bug
12864; bugfix on 0.2.5.1-alpha.
o Minor features:
- Add an ExtORPortCookieAuthFileGroupReadable option to make the
cookie file for the ExtORPort g+r by default.

View File

@ -224,6 +224,13 @@ GENERAL OPTIONS
for the Extended ORPort's cookie file -- the cookie file is needed
for pluggable transports to communicate through the Extended ORPort.
[[ExtORPortCookieAuthFileGroupReadable]] **ExtORPortCookieAuthFileGroupReadable** **0**|**1**::
If this option is set to 0, don't allow the filesystem group to read the
Extende OR Port cookie file. If the option is set to 1, make the cookie
file readable by the default GID. [Making the file readable by other
groups is not yet implemented; let us know if you need this for some
reason.] (Default: 0)
[[ConnLimit]] **ConnLimit** __NUM__::
The minimum number of file descriptors that must be available to the Tor
process before it will start. Tor will ask the OS for as many file

View File

@ -238,6 +238,7 @@ static config_var_t option_vars_[] = {
V(ExtendAllowPrivateAddresses, BOOL, "0"),
VPORT(ExtORPort, LINELIST, NULL),
V(ExtORPortCookieAuthFile, STRING, NULL),
V(ExtORPortCookieAuthFileGroupReadable, BOOL, "0"),
V(ExtraInfoStatistics, BOOL, "1"),
V(FallbackDir, LINELIST, NULL),
@ -6828,7 +6829,7 @@ config_maybe_load_geoip_files_(const or_options_t *options,
* <b>cookie_is_set_out</b> to True. */
int
init_cookie_authentication(const char *fname, const char *header,
int cookie_len,
int cookie_len, int group_readable,
uint8_t **cookie_out, int *cookie_is_set_out)
{
char cookie_file_str_len = strlen(header) + cookie_len;
@ -6861,6 +6862,14 @@ init_cookie_authentication(const char *fname, const char *header,
goto done;
}
#ifndef _WIN32
if (group_readable) {
if (chmod(fname, 0640)) {
log_warn(LD_FS,"Unable to make %s group-readable.", escaped(fname));
}
}
#endif
/* Success! */
log_info(LD_GENERAL, "Generated auth cookie file in '%s'.", escaped(fname));
*cookie_is_set_out = 1;

View File

@ -97,7 +97,7 @@ uint32_t get_effective_bwburst(const or_options_t *options);
char *get_transport_bindaddr_from_config(const char *transport);
int init_cookie_authentication(const char *fname, const char *header,
int cookie_len,
int cookie_len, int group_readable,
uint8_t **cookie_out, int *cookie_is_set_out);
or_options_t *options_new(void);

View File

@ -4666,6 +4666,7 @@ init_control_cookie_authentication(int enabled)
fname = get_controller_cookie_file_name();
retval = init_cookie_authentication(fname, "", /* no header */
AUTHENTICATION_COOKIE_LEN,
get_options()->CookieAuthFileGroupReadable,
&authentication_cookie,
&authentication_cookie_is_set);
tor_free(fname);

View File

@ -143,6 +143,7 @@ init_ext_or_cookie_authentication(int is_enabled)
fname = get_ext_or_auth_cookie_file_name();
retval = init_cookie_authentication(fname, EXT_OR_PORT_AUTH_COOKIE_HEADER,
EXT_OR_PORT_AUTH_COOKIE_HEADER_LEN,
get_options()->ExtORPortCookieAuthFileGroupReadable,
&ext_or_auth_cookie,
&ext_or_auth_cookie_is_set);
tor_free(fname);

View File

@ -3801,6 +3801,8 @@ typedef struct {
char *ExtORPortCookieAuthFile; /**< Filesystem location of Extended
* ORPort authentication cookie. */
int CookieAuthFileGroupReadable; /**< Boolean: Is the CookieAuthFile g+r? */
int ExtORPortCookieAuthFileGroupReadable; /**< Boolean: Is the
* ExtORPortCookieAuthFile g+r? */
int LeaveStreamsUnattached; /**< Boolean: Does Tor attach new streams to
* circuits itself (0), or does it expect a controller
* to cope? (1) */