This allows more-fine granular firewall rules (see first patch for
further information). Further, it prevents other services running as
"nobody" (Apache, ...) from reading Tor relay keys.
Fixes #11779.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tor
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = tor
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
- --with-tor-user=nobody \
- --with-tor-group=nobody
+ --with-tor-user=tor \
+ --with-tor-group=tor
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
-# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
+# Copyright (C) 2007-2019 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
+
+# Run Tor as dedicated user and make sure user and group exist
+if ! getent group tor &>/dev/null; then
+ groupadd -g 119 tor
+fi
+
+if ! getent passwd tor; then
+ useradd -u 119 -g tor -d /var/empty -s /bin/false tor
+
+ # Adjust some folder permission for new UID/GID
+ chown -R tor:tor /var/lib/tor /var/ipfire/tor
+fi
+
extract_files
restore_backup ${NAME}
start_service --background ${NAME}
extract_files
restore_backup ${NAME}
start_service --background ${NAME}