o Major features (security)
- - Implementation of SocksSocket option - SocksSocket implements a SOCKS
+ - Implementation of an AF_UNIX socket option to implement a SOCKS
proxy reachable by Unix Domain Socket. This allows client applications to
communicate with Tor without having the ability to create AF_INET or
AF_INET6 family sockets. If an application has permission to create a socket
with AF_UNIX, it may directly communicate with Tor as if it were an other
SOCKS proxy. This should allow high risk applications to be entirely prevented
from connecting directly with TCP/IP, they will be able to only connect to the
- internet through AF_UNIX and only through Tor. Closes ticket 12585.
+ internet through AF_UNIX and only through Tor.
+ To create a socket of this type, use the syntax "unix:/path/to/socket".
+ Closes ticket 12585.
+
in accordance to RFC 1929. Both username and password must be between 1 and
255 characters.
-[[SocksSocket]] **SocksSocket** __Path__ [_flags_] [_isolation flags_]::
- Like SocksPort, but listens on a Unix domain socket, rather than a TCP
- socket. '0' disables SocksSocket (Unix and Unix-like systems only.)
-
[[SocksSocketsGroupWritable]] **SocksSocketsGroupWritable** **0**|**1**::
If this option is set to 0, don't allow the filesystem group to read and
write unix sockets (e.g. SocksSocket). If the option is set to 1, make
extern int quiet_level;
/* Prefix used to indicate a Unix socket in a FooPort configuration. */
-static const char *unix_socket_prefix = "unix:";
+static const char unix_socket_prefix[] = "unix:";
/** A list of abbreviations and aliases to map command-line options, obsolete
* option names, or alternative option names, to their current values. */
V(ControlPortWriteToFile, FILENAME, NULL),
V(ControlSocket, LINELIST, NULL),
V(ControlSocketsGroupWritable, BOOL, "0"),
- V(SocksSocket, LINELIST, NULL),
V(SocksSocketsGroupWritable, BOOL, "0"),
V(CookieAuthentication, BOOL, "0"),
V(CookieAuthFileGroupReadable, BOOL, "0"),
}
#endif
-#ifndef HAVE_SYS_UN_H
- if (options->SocksSocket || options->SocksSocketsGroupWritable) {
- *msg = tor_strdup("Unix domain sockets (SocksSocket) not supported "
- "on this OS/with this build.");
- goto rollback;
- }
-#else
- if (options->SocksSocketsGroupWritable && !options->SocksSocket) {
- *msg = tor_strdup("Setting SocksSocketGroupWritable without setting"
- "a SocksSocket makes no sense.");
- goto rollback;
- }
-#endif
-
if (running_tor) {
int n_ports=0;
/* We need to set the connection limit before we can open the listeners. */
int
config_parse_unix_port(const char *addrport, char **path_out)
{
+ tor_assert(path_out);
+ tor_assert(addrport);
+
+ if (strcmpstart(addrport, unix_socket_prefix)) {
+ /* Not a Unix socket path. */
+ return -ENOENT;
+ }
+
log_warn(LD_CONFIG,
"Port configuration %s is for an AF_UNIX socket, but we have no"
"support available on this platform",
*msg = tor_strdup("Invalid ControlSocket configuration");
goto err;
}
- if (parse_port_config(ports, options->SocksSocket, NULL,
- "SocksSocket",
- CONN_TYPE_AP_LISTENER, NULL, 0,
- CL_PORT_IS_UNIXSOCKET) < 0) {
- *msg = tor_strdup("Invalid SocksSocket configuration");
- goto err;
- }
}
if (! options->ClientOnly) {
if (parse_port_config(ports,
!! count_real_listeners(ports, CONN_TYPE_OR_LISTENER);
options->SocksPort_set =
!! count_real_listeners(ports, CONN_TYPE_AP_LISTENER);
- options->SocksSocket_set =
- !! count_real_listeners(ports, CONN_TYPE_AP_LISTENER);
options->TransPort_set =
!! count_real_listeners(ports, CONN_TYPE_AP_TRANS_LISTENER);
options->NATDPort_set =
* for control connections. */
int ControlSocketsGroupWritable; /**< Boolean: Are control sockets g+rw? */
- config_line_t *SocksSocket; /**< List of Unix Domain Sockets to listen on
- * for SOCKS connections. */
-
int SocksSocketsGroupWritable; /**< Boolean: Are SOCKS sockets g+rw? */
/** Ports to listen on for directory connections. */
config_line_t *DirPort_lines;
*/
unsigned int ORPort_set : 1;
unsigned int SocksPort_set : 1;
- unsigned int SocksSocket_set : 1;
unsigned int TransPort_set : 1;
unsigned int NATDPort_set : 1;
unsigned int ControlPort_set : 1;
projects / thirdparty / tor.git / commitdiff
