openprivacy
/
connectivity
3
0
Fork 2
Code Issues 1 Pull Requests 1 Releases 35 Wiki Activity

Clarified and Split Apart Environment Variables that alter port binding behaviour. #47

Merged
sarah merged 7 commits from whonix into master 2023-08-18 21:03:41 +00:00
Conversation 1 Commits 7 Files Changed 2 +14 -5
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 2c9ec9d894 - Show all commits

19
tor/torProvider.go
View File

@ -270,14 +270,23 @@ func (tp *torProvider) Listen(identity connectivity.PrivateKey, port int) (conne
var localListener net.Listener
var err error
if bineWhonix := os.Getenv("BINE_WHONIX"); strings.ToLower(bineWhonix) == "true" {
if _, ferr := os.Stat("/usr/share/anon-ws-base-files/workstation"); !os.IsNotExist(ferr) {
localListener, err = net.Listen("tcp", "0.0.0.0:"+strconv.Itoa(localport))
}
if cwtchRestrictPorts := os.Getenv("CWTCH_RESTRICT_PORTS"); strings.ToLower(cwtchRestrictPorts) == "true" {
dan marked this conversation as resolved
dan commented 2023-08-17 16:53:24 +00:00
Review
Copy Link

from the docs i thought i could specify the range on the cmd line. can't we just change this to an .exists() check as a flag? any value means it was set?

from the docs i thought i could specify the range on the cmd line. can't we just change this to an `.exists()` check as a flag? any value means it was set?
sarah commented 2023-08-17 17:36:51 +00:00
Review
Copy Link

I'd rather be explicit. Someone setting this to "false" should not be surprised.

I'd rather be explicit. Someone setting this to "false" should not be surprised.
// for whonix like systems we tightly restrict possible listen...
// pick a random port between 15300 and 15378
// cwtch = 63 *77 *74* 63* 68 = 1537844616
dan marked this conversation as resolved
dan commented 2023-08-17 16:52:23 +00:00
Review
Copy Link

dont understand this line

dont understand this line
sarah commented 2023-08-17 17:36:21 +00:00
Review
Copy Link

I had to pick a subrange of ports (technically we could allow these to be configurable, but the additional complexity does not seem worth it atm), and this how I arrived at the top range.

I had to pick a subrange of ports (technically we could allow these to be configurable, but the additional complexity does not seem worth it atm), and this how I arrived at the top range.
localport = 15300 + ((localport - 1024) % 78)
log.Infof("using restricted ports, CWTCH_RESTRICT_PORTS=true");
dan marked this conversation as resolved
dan commented 2023-08-17 16:53:49 +00:00
Review
Copy Link

since its not a specified range, why not call it WHONIX_PORTS since thats what it is

since its not a specified range, why not call it WHONIX_PORTS since thats what it is
sarah commented 2023-08-17 17:34:30 +00:00
Review
Copy Link

there are other possible usecases for this flag e.g. any containerized OS, not just whonix.

there are other possible usecases for this flag e.g. any containerized OS, not just whonix.
localport = 15300 + (localport % 78)
}
if bindExternal := os.Getenv("CWTCH_BIND_EXTERNAL_WHONIX"); strings.ToLower(bindExternal) == "true" {
if _, ferr := os.Stat("/usr/share/anon-ws-base-files/workstation"); !os.IsNotExist(ferr) {
log.Infof("WARNING: binding to external interfaces. This is potentially unsafe outside of a containerized environment.");
localListener, err = net.Listen("tcp", "0.0.0.0:"+strconv.Itoa(localport))
} else {
log.Errorf("CWTCH_BIND_EXTERNAL_WHONIX flag set, but /usr/share/anon-ws-base-files/workstation does not exist. Defaulting to binding to local ports");
localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport))
}
} else {
localListener, err = net.Listen("tcp", "127.0.0.1:"+strconv.Itoa(localport))
}