Use tor_getpw{nam,uid} wrappers to fix bug 11946

When running with User set, we frequently try to look up our
information in the user database (e.g., /etc/passwd).  The seccomp2
sandbox setup doesn't let us open /etc/passwd, and probably
shouldn't.

To fix this, we have a pair of wrappers for getpwnam and getpwuid.
When a real call to getpwnam or getpwuid fails, they fall back to a
cached value, if the uid/gid matches.

(Granting access to /etc/passwd isn't possible with the way we
handle opening files through the sandbox.  It's not desirable either.)

diff --git a/changes/bug11946 b/changes/bug11946
new file mode 100644 (file)
index 0000000..9ea4831
--- /dev/null
+++ b/changes/bug11946
@@ -0,0 +1,5 @@
+  o Minor bugfixes (sandbox):
+
+    - Handle failures in getpwnam()/getpwuid() when running with the
+      User option set and the Linux syscall sandbox enabled. Fixes bug
+      11946; bugfix on 0.2.5.1-alpha.

diff --git a/src/common/compat.c b/src/common/compat.c
index 9f31cceb0963a2cab32483356e58b26e3c9a0478..65446b530e50d08a563cbc42b65c12c4714fb94c 100644 (file)
--- a/src/common/compat.c
+++ b/src/common/compat.c
@@ -1792,7 +1792,7 @@ int
 switch_id(const char *user)
 {
 #ifndef _WIN32
-  struct passwd *pw = NULL;
+  const struct passwd *pw = NULL;
   uid_t old_uid;
   gid_t old_gid;
   static int have_already_switched_id = 0;
@@ -1813,7 +1813,7 @@ switch_id(const char *user)
   old_gid = getgid();
 
   /* Lookup the user and group information, if we have a problem, bail out. */
-  pw = getpwnam(user);
+  pw = tor_getpwnam(user);
   if (pw == NULL) {
     log_warn(LD_CONFIG, "Error setting configured user: %s not found", user);
     return -1;
@@ -1984,10 +1984,10 @@ tor_disable_debugger_attach(void)
 char *
 get_user_homedir(const char *username)
 {
-  struct passwd *pw;
+  const struct passwd *pw;
   tor_assert(username);
 
-  if (!(pw = getpwnam(username))) {
+  if (!(pw = tor_getpwnam(username))) {
     log_err(LD_CONFIG,"User \"%s\" not found.", username);
     return NULL;
   }

diff --git a/src/common/util.c b/src/common/util.c
index d573b5624b325c4fdc2a9e4ff12b4a83802d4cb2..d457ba9701bef2bcbc53ddd07a7d73eb9c5efa98 100644 (file)
--- a/src/common/util.c
+++ b/src/common/util.c
@@ -1871,7 +1871,7 @@ check_private_dir(const char *dirname, cpd_check_t check,
   char *f;
 #ifndef _WIN32
   int mask;
-  struct passwd *pw = NULL;
+  const struct passwd *pw = NULL;
   uid_t running_uid;
   gid_t running_gid;
 #else
@@ -1918,7 +1918,7 @@ check_private_dir(const char *dirname, cpd_check_t check,
   if (effective_user) {
     /* Look up the user and group information.
      * If we have a problem, bail out. */
-    pw = getpwnam(effective_user);
+    pw = tor_getpwnam(effective_user);
     if (pw == NULL) {
       log_warn(LD_CONFIG, "Error setting configured user: %s not found",
                effective_user);
@@ -1932,13 +1932,13 @@ check_private_dir(const char *dirname, cpd_check_t check,
   }
 
   if (st.st_uid != running_uid) {
-    struct passwd *pw = NULL;
+    const struct passwd *pw = NULL;
     char *process_ownername = NULL;
 
-    pw = getpwuid(running_uid);
+    pw = tor_getpwuid(running_uid);
     process_ownername = pw ? tor_strdup(pw->pw_name) : tor_strdup("<unknown>");
 
-    pw = getpwuid(st.st_uid);
+    pw = tor_getpwuid(st.st_uid);
 
     log_warn(LD_FS, "%s is not owned by this user (%s, %d) but by "
         "%s (%d). Perhaps you are running Tor as the wrong user?",

diff --git a/src/or/connection.c b/src/or/connection.c
index 3cc4e09fb76e13809b3aaf1285a4db7bf581572d..cef9172ff1c23d6f0d9f7f92a1464b4de1a6b44e 100644 (file)
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -1017,7 +1017,7 @@ connection_listener_new(const struct sockaddr *listensockaddr,
   tor_socket_t s = TOR_INVALID_SOCKET;  /* the socket we're going to make */
   or_options_t const *options = get_options();
 #if defined(HAVE_PWD_H) && defined(HAVE_SYS_UN_H)
-  struct passwd *pw = NULL;
+  const struct passwd *pw = NULL;
 #endif
   uint16_t usePort = 0, gotPort = 0;
   int start_reading = 0;
@@ -1157,7 +1157,7 @@ connection_listener_new(const struct sockaddr *listensockaddr,
     }
 #ifdef HAVE_PWD_H
     if (options->User) {
-      pw = getpwnam(options->User);
+      pw = tor_getpwnam(options->User);
       if (pw == NULL) {
         log_warn(LD_NET,"Unable to chown() %s socket: user %s not found.",
                  address, options->User);

diff --git a/src/or/control.c b/src/or/control.c
index d571900ac33b018738654f7249385186df8668ad..2865d78329ed6f16795cc3d8c94448f158cfcdaa 100755 (executable)
--- a/src/or/control.c
+++ b/src/or/control.c
@@ -1492,7 +1492,7 @@ getinfo_helper_misc(control_connection_t *conn, const char *question,
       *answer = tor_strdup("");
     #else
       int myUid = geteuid();
-      struct passwd *myPwEntry = getpwuid(myUid);
+      const struct passwd *myPwEntry = tor_getpwuid(myUid);
 
       if (myPwEntry) {
         *answer = tor_strdup(myPwEntry->pw_name);