Remove SocksSocket; it's now spelled differently thanks to 14451
Also, revise bug12585 changes file to mention new syntax
This commit is contained in:
parent
ebc59092bc
commit
204374f7d9
|
@ -1,9 +1,12 @@
|
|||
o Major features (security)
|
||||
- Implementation of SocksSocket option - SocksSocket implements a SOCKS
|
||||
- Implementation of an AF_UNIX socket option to implement a SOCKS
|
||||
proxy reachable by Unix Domain Socket. This allows client applications to
|
||||
communicate with Tor without having the ability to create AF_INET or
|
||||
AF_INET6 family sockets. If an application has permission to create a socket
|
||||
with AF_UNIX, it may directly communicate with Tor as if it were an other
|
||||
SOCKS proxy. This should allow high risk applications to be entirely prevented
|
||||
from connecting directly with TCP/IP, they will be able to only connect to the
|
||||
internet through AF_UNIX and only through Tor. Closes ticket 12585.
|
||||
internet through AF_UNIX and only through Tor.
|
||||
To create a socket of this type, use the syntax "unix:/path/to/socket".
|
||||
Closes ticket 12585.
|
||||
|
||||
|
|
|
@ -483,10 +483,6 @@ GENERAL OPTIONS
|
|||
in accordance to RFC 1929. Both username and password must be between 1 and
|
||||
255 characters.
|
||||
|
||||
[[SocksSocket]] **SocksSocket** __Path__ [_flags_] [_isolation flags_]::
|
||||
Like SocksPort, but listens on a Unix domain socket, rather than a TCP
|
||||
socket. '0' disables SocksSocket (Unix and Unix-like systems only.)
|
||||
|
||||
[[SocksSocketsGroupWritable]] **SocksSocketsGroupWritable** **0**|**1**::
|
||||
If this option is set to 0, don't allow the filesystem group to read and
|
||||
write unix sockets (e.g. SocksSocket). If the option is set to 1, make
|
||||
|
|
|
@ -69,7 +69,7 @@
|
|||
extern int quiet_level;
|
||||
|
||||
/* Prefix used to indicate a Unix socket in a FooPort configuration. */
|
||||
static const char *unix_socket_prefix = "unix:";
|
||||
static const char unix_socket_prefix[] = "unix:";
|
||||
|
||||
/** A list of abbreviations and aliases to map command-line options, obsolete
|
||||
* option names, or alternative option names, to their current values. */
|
||||
|
@ -203,7 +203,6 @@ static config_var_t option_vars_[] = {
|
|||
V(ControlPortWriteToFile, FILENAME, NULL),
|
||||
V(ControlSocket, LINELIST, NULL),
|
||||
V(ControlSocketsGroupWritable, BOOL, "0"),
|
||||
V(SocksSocket, LINELIST, NULL),
|
||||
V(SocksSocketsGroupWritable, BOOL, "0"),
|
||||
V(CookieAuthentication, BOOL, "0"),
|
||||
V(CookieAuthFileGroupReadable, BOOL, "0"),
|
||||
|
@ -1053,20 +1052,6 @@ options_act_reversible(const or_options_t *old_options, char **msg)
|
|||
}
|
||||
#endif
|
||||
|
||||
#ifndef HAVE_SYS_UN_H
|
||||
if (options->SocksSocket || options->SocksSocketsGroupWritable) {
|
||||
*msg = tor_strdup("Unix domain sockets (SocksSocket) not supported "
|
||||
"on this OS/with this build.");
|
||||
goto rollback;
|
||||
}
|
||||
#else
|
||||
if (options->SocksSocketsGroupWritable && !options->SocksSocket) {
|
||||
*msg = tor_strdup("Setting SocksSocketGroupWritable without setting"
|
||||
"a SocksSocket makes no sense.");
|
||||
goto rollback;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (running_tor) {
|
||||
int n_ports=0;
|
||||
/* We need to set the connection limit before we can open the listeners. */
|
||||
|
@ -5656,6 +5641,14 @@ config_parse_unix_port(const char *addrport, char **path_out)
|
|||
int
|
||||
config_parse_unix_port(const char *addrport, char **path_out)
|
||||
{
|
||||
tor_assert(path_out);
|
||||
tor_assert(addrport);
|
||||
|
||||
if (strcmpstart(addrport, unix_socket_prefix)) {
|
||||
/* Not a Unix socket path. */
|
||||
return -ENOENT;
|
||||
}
|
||||
|
||||
log_warn(LD_CONFIG,
|
||||
"Port configuration %s is for an AF_UNIX socket, but we have no"
|
||||
"support available on this platform",
|
||||
|
@ -6218,13 +6211,6 @@ parse_ports(or_options_t *options, int validate_only,
|
|||
*msg = tor_strdup("Invalid ControlSocket configuration");
|
||||
goto err;
|
||||
}
|
||||
if (parse_port_config(ports, options->SocksSocket, NULL,
|
||||
"SocksSocket",
|
||||
CONN_TYPE_AP_LISTENER, NULL, 0,
|
||||
CL_PORT_IS_UNIXSOCKET) < 0) {
|
||||
*msg = tor_strdup("Invalid SocksSocket configuration");
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
if (! options->ClientOnly) {
|
||||
if (parse_port_config(ports,
|
||||
|
@ -6268,8 +6254,6 @@ parse_ports(or_options_t *options, int validate_only,
|
|||
!! count_real_listeners(ports, CONN_TYPE_OR_LISTENER);
|
||||
options->SocksPort_set =
|
||||
!! count_real_listeners(ports, CONN_TYPE_AP_LISTENER);
|
||||
options->SocksSocket_set =
|
||||
!! count_real_listeners(ports, CONN_TYPE_AP_LISTENER);
|
||||
options->TransPort_set =
|
||||
!! count_real_listeners(ports, CONN_TYPE_AP_TRANS_LISTENER);
|
||||
options->NATDPort_set =
|
||||
|
|
|
@ -1496,7 +1496,7 @@ connection_handle_listener_read(connection_t *conn, int new_type)
|
|||
if (new_type == CONN_TYPE_AP && conn->socket_family == AF_UNIX) {
|
||||
newconn->port = 0;
|
||||
newconn->address = tor_strdup(conn->address);
|
||||
log_info(LD_NET, "New SOCKS SocksSocket connection opened");
|
||||
log_info(LD_NET, "New SOCKS AF_UNIX connection opened");
|
||||
}
|
||||
if (new_type == CONN_TYPE_CONTROL) {
|
||||
log_notice(LD_CONTROL, "New control connection opened from %s.",
|
||||
|
|
|
@ -3463,9 +3463,6 @@ typedef struct {
|
|||
* for control connections. */
|
||||
|
||||
int ControlSocketsGroupWritable; /**< Boolean: Are control sockets g+rw? */
|
||||
config_line_t *SocksSocket; /**< List of Unix Domain Sockets to listen on
|
||||
* for SOCKS connections. */
|
||||
|
||||
int SocksSocketsGroupWritable; /**< Boolean: Are SOCKS sockets g+rw? */
|
||||
/** Ports to listen on for directory connections. */
|
||||
config_line_t *DirPort_lines;
|
||||
|
@ -3489,7 +3486,6 @@ typedef struct {
|
|||
*/
|
||||
unsigned int ORPort_set : 1;
|
||||
unsigned int SocksPort_set : 1;
|
||||
unsigned int SocksSocket_set : 1;
|
||||
unsigned int TransPort_set : 1;
|
||||
unsigned int NATDPort_set : 1;
|
||||
unsigned int ControlPort_set : 1;
|
||||
|
|
Loading…
Reference in New Issue