Bug#700179: Start tor as debian-tor to allow traffic shaping

Tue, 12 Feb 2013 12:42:15 -0800 

On Sat, 09 Feb 2013, Matt Kraai wrote:

> On Sat, Feb 09, 2013 at 08:20:58PM +0100, Peter Palfrader wrote:
> > On Sat, 09 Feb 2013, Matt Kraai wrote:
> > 
> > > On Sat, Feb 09, 2013 at 03:45:56PM +0100, Peter Palfrader wrote:
> > > > On Sat, 09 Feb 2013, Matt Kraai wrote:
> > > > 
> > > > > UID-based prioritization requires that Tor be started using a specific
> > > > > user ID instead of relying on the User configuration setting.
> > > > > /etc/init.d/tor appears to start Tor as root and rely on the User
> > > > > configuration setting to change the user ID to debian-tor.
> > > > > 
> > > > > The following patch modifies /etc/init.d/tor so that Tor is started
> > > > > using the debian-tor account, which should allow the script to work.
> > > > 
> > > > Alas, that's not an option, as it would prevent tor from opending
> > > > listening ports < 1024.
> > > 
> > > How about making Tor change user but keep the CAP_NET_BIND_SERVICE
> > > capability before opening the sockets?
> > 
> > Tor does change user.  You seemed to imply that wasn't sufficient for
> > your traffic shaping thing.
> 
> The traffic shaping script needs Tor to change user before creating
> the sockets.  It says
> 
>  # The UID based method requires that Tor be launched from
>  # a specific user ID. The "User" Tor config setting is
>  # insufficient, as it sets the UID after the socket is created.
> 
> If tor were to change the user before creating the sockets, but keep
> the CAP_NET_BIND_SERVICE capability, I think this would allow it to
> perform UID-based shaping *and* bind to ports less than 1024.
> 
> I wanted to check that this seemed reasonable before I tried to
> implement it.

Keeping the bind service capability has other advantages too.  For
instance it'd make re-opening sockets after hibernation possible.

I guess a patch might be received well.

Cheers,
weasel
-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to