From 3f442987f194d96a842fd15808e5d40f784cfca4 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Wed, 28 Oct 2020 11:34:30 -0400
Subject: [PATCH] Log a warning if Tor was built with any "risky" compile-time
 options

These options are meant for testing builds only, and are likely to
cause trouble if used in a production environment.

Closes #18888.
---
 changes/ticket18888          |  3 +++
 src/app/main/include.am      |  2 ++
 src/app/main/main.c          | 12 +++++++++++-
 src/app/main/risky_options.c | 35 +++++++++++++++++++++++++++++++++++
 src/app/main/risky_options.h | 17 +++++++++++++++++
 5 files changed, 68 insertions(+), 1 deletion(-)
 create mode 100644 changes/ticket18888
 create mode 100644 src/app/main/risky_options.c
 create mode 100644 src/app/main/risky_options.h

diff --git a/changes/ticket18888 b/changes/ticket18888
new file mode 100644
index 0000000000..279eab76ad
--- /dev/null
+++ b/changes/ticket18888
@@ -0,0 +1,3 @@
+  o Minor features (safety):
+    - Log a warning at startup if Tor is built with compile-time options that
+      are likely to make it less stable or reliable. Closes ticket 18888.
diff --git a/src/app/main/include.am b/src/app/main/include.am
index ea392a8581..576c750377 100644
--- a/src/app/main/include.am
+++ b/src/app/main/include.am
@@ -2,6 +2,7 @@
 # ADD_C_FILE: INSERT SOURCES HERE.
 LIBTOR_APP_A_SOURCES += 			\
 	src/app/main/main.c			\
+	src/app/main/risky_options.c		\
 	src/app/main/shutdown.c			\
 	src/app/main/subsystem_list.c		\
 	src/app/main/subsysmgr.c
@@ -10,6 +11,7 @@ LIBTOR_APP_A_SOURCES += 			\
 noinst_HEADERS +=					\
 	src/app/main/main.h				\
 	src/app/main/ntmain.h				\
+	src/app/main/risky_options.h			\
 	src/app/main/shutdown.h 			\
 	src/app/main/subsysmgr.h
 
diff --git a/src/app/main/main.c b/src/app/main/main.c
index ff530c0ad0..589d365add 100644
--- a/src/app/main/main.c
+++ b/src/app/main/main.c
@@ -16,6 +16,7 @@
 #include "app/config/quiet_level.h"
 #include "app/main/main.h"
 #include "app/main/ntmain.h"
+#include "app/main/risky_options.h"
 #include "app/main/shutdown.h"
 #include "app/main/subsysmgr.h"
 #include "core/mainloop/connection.h"
@@ -539,6 +540,7 @@ tor_init(int argc, char *argv[])
 {
   char progname[256];
   quiet_level_t quiet = QUIET_NONE;
+  bool running_tor = false;
 
   time_of_process_start = time(NULL);
   tor_init_connection_lists();
@@ -562,8 +564,10 @@ tor_init(int argc, char *argv[])
        whether we log anything at all to stdout. */
     parsed_cmdline_t *cmdline;
     cmdline = config_parse_commandline(argc, argv, 1);
-    if (cmdline)
+    if (cmdline) {
       quiet = cmdline->quiet_level;
+      running_tor = (cmdline->command == CMD_RUN_TOR);
+    }
     parsed_cmdline_free(cmdline);
   }
 
@@ -599,6 +603,12 @@ tor_init(int argc, char *argv[])
       log_notice(LD_GENERAL, "This version is not a stable Tor release. "
                  "Expect more bugs than usual.");
 
+    if (strlen(risky_option_list) && running_tor) {
+      log_warn(LD_GENERAL, "This build of Tor has been compiled with one "
+               "or more options that might make it less reliable or secure! "
+               "They are:%s", risky_option_list);
+    }
+
     tor_compress_log_init_warnings();
   }
 
diff --git a/src/app/main/risky_options.c b/src/app/main/risky_options.c
new file mode 100644
index 0000000000..747dda766b
--- /dev/null
+++ b/src/app/main/risky_options.c
@@ -0,0 +1,35 @@
+/* Copyright (c) 2001 Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2020, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file risky_options.c
+ * \brief List compile-time options that might make Tor less reliable.
+ **/
+
+#include "orconfig.h"
+#include "app/main/risky_options.h"
+
+/** A space-separated list of the compile-time options might make Tor less
+ *  reliable or secure.  These options mainly exist for testing or debugging.
+ */
+const char risky_option_list[] =
+  ""
+#ifdef DISABLE_ASSERTS_IN_TEST
+  " --disable-asserts-in-test"
+#endif
+#ifdef TOR_UNIT_TESTS
+  " TOR_UNIT_TESTS"
+#endif
+#ifdef ENABLE_RESTART_DEBUGGING
+  " --enable-restart-debugging"
+#endif
+#ifdef ALL_BUGS_ARE_FATAL
+  " --enable-all-bugs-are-fatal"
+#endif
+#ifdef DISABLE_MEMORY_SENTINELS
+  " --disable-memory-sentinels"
+#endif
+  ;
diff --git a/src/app/main/risky_options.h b/src/app/main/risky_options.h
new file mode 100644
index 0000000000..4548ae3efb
--- /dev/null
+++ b/src/app/main/risky_options.h
@@ -0,0 +1,17 @@
+/* Copyright (c) 2001 Matej Pfajfar.
+ * Copyright (c) 2001-2004, Roger Dingledine.
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2020, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+/**
+ * \file risky_options.h
+ * \brief Header for risky_options.c
+ **/
+
+#ifndef TOR_RISKY_OPTIONS_H
+#define TOR_RISKY_OPTIONS_H
+
+extern const char risky_option_list[];
+
+#endif