Hi,
Peter Palfrader wrote (19 Apr 2011 08:40:55 GMT) :
>> 1. In the default torrc: set ControlSocket to /var/run/tor/control.socket
> You will need to make sure Tor creates the socket with correct
> permissions, I think. Once it does that, enabling it in the Debian
> package seens doable.
I've just run a handful of tests.
The ControlSocket file is created by the (Debian) Tor daemon
- owned by root:debian-tor -> perfect
- uses the umask from the user's who runs the initscript
* if umask == 0022 => srwxr-xr-x which won't work: the debian-tor
group should get write access; as a side note, the execution
bits seem not needed to me.
* if umask == 0077 => srwx------ which won't work, but a great
bunch of initscripts behave this way, so we might as well ignore
this case for the time being :/
=> we have two possible solutions I think:
a. Patch Tor so that one can get a group-readable+writable
ControlSocket, be it by default or using a
ControlSocketGroupReadableAndWritable option modeled after the
already existing CookieAuthFileGroupReadable one.
b. In the initscript, set permissions on the ControlSocket that
would fit our Debian system-wide daemon context.
I tend to prefer the first of these solutions, since the second one
would be a bit ugly, and I'm not even sure it would work, e.g. if the
process receives a SIGHUP or whatever. What do you think?
(Yeah, we'll obviously forward our future conclusions back upstream,
but let's think through what we need on the Debian packaging side
first.)
Also, even when umask == 0022, the parent directory (/var/run/tor) is
created by the initscript's check_torpiddir function with 02700
permissions. Given this function chown's it debian-tor:debian-tor, can
we consider changing these permissions to 02770? Or do I miss the
purpose of the debian-tor group?
> Editing /etc/tor/torrc is a no-go. That just becomes a horrible
> mess.
Sure.
> Ideally tor would start to support an /etc/tor/torrc.d/ style
> directory, but for now I guess we can add it to the default debian
> config we patch into the tor binary.
Great.
Bye,
--
intrigeri <intrig...@boum.org>
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
| The impossible just takes a bit longer.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
