GNU bug report logs -
#57222
Guix Tor service needs a little more authority
Previous Next
To reply to this bug, email your comments to 57222 AT debbugs.gnu.org.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#57222; Package
guix.
(Mon, 15 Aug 2022 11:57:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Tobias Geerinckx-Rice <me <at> tobias.gr>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Mon, 15 Aug 2022 11:57:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi all,
I recently found my Tor nodes dead, unable to bind to their port
with a confusing ‘permission denied’ error.
This was caused by a regression in Guix's Tor service: it now uses
‘least-authority-wrapper’, meaning that it… well, hasn't the
authority to bind to all ports. Oops.
Even today, (some, well-known) low ports are firewalled/flagged
noticeably less than higher ones. Thankfully, DPI isn't the norm
yet.
Reverting commit fb868cd7794f15e21298e5bdea996fbf0dad17ca fixes
this.
Our service wasn't insecure before: Tor expects to be started as
root and drop privileges through the torrc ‘User’ directive, not
the way Guix now does it through namespaces.
Still, I'll take a stab at relaxing the service's POLA parameters
to allow this, hoping to get the best of both worlds, but this is
new territory to me. Maybe that's not possible.
Kind regards,
T G-R
[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 2 years and 141 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.