Backport r16450 to 0.2.0.x: open /dev/pf before dropping privileges.
svn:r16726
This commit is contained in:
parent
278a89d75a
commit
6784c9e314
|
@ -22,6 +22,10 @@ Changes in version 0.2.0.31 - 2008-08-??
|
|||
trying session resumption at this point, but apparently some
|
||||
did, in ways that caused the handshake to fail. Bugfix on
|
||||
0.2.0.20-rc. Bug found by Geoff Goodell.
|
||||
- When using the TransPort option on OpenBSD, and using the User
|
||||
option to change UID and drop privileges, make sure to open
|
||||
/dev/pf before dropping privileges. Fixes bug 782. Patch from
|
||||
Christopher Davis. Bugfix on 0.1.2.1-alpha.
|
||||
|
||||
|
||||
Changes in version 0.2.0.30 - 2008-07-15
|
||||
|
|
|
@ -11,7 +11,7 @@ Backport for 0.2.0 once better tested:
|
|||
o r15821: fix bug related to TLS session negotiation.
|
||||
o r16136: prevent circid collision. [Also backport to 0.1.2.x??]
|
||||
- r16143: generate stream close events from connection_edge_destroy().
|
||||
- r16450: open /dev/pf before dropping privileges.
|
||||
o r16450: open /dev/pf before dropping privileges.
|
||||
- r16605: relays reject risky extend cells.
|
||||
- r16698: don't use a new entry guard that's also your exit.
|
||||
|
||||
|
|
|
@ -1022,6 +1022,16 @@ options_act_reversible(or_options_t *old_options, char **msg)
|
|||
}
|
||||
}
|
||||
|
||||
#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
|
||||
/* Open /dev/pf before dropping privileges. */
|
||||
if (options->TransPort) {
|
||||
if (get_pf_socket() < 0) {
|
||||
*msg = tor_strdup("Unable to open /dev/pf for transparent proxy.");
|
||||
goto rollback;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Setuid/setgid as appropriate */
|
||||
if (options->User || options->Group) {
|
||||
/* XXXX021 We should only do this the first time through, not on
|
||||
|
|
|
@ -1636,11 +1636,11 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
|
|||
|
||||
#ifdef TRANS_PF
|
||||
static int pf_socket = -1;
|
||||
static int
|
||||
int
|
||||
get_pf_socket(void)
|
||||
{
|
||||
int pf;
|
||||
/* Ideally, this should be opened before dropping privs. */
|
||||
/* This should be opened before dropping privs. */
|
||||
if (pf_socket >= 0)
|
||||
return pf_socket;
|
||||
|
||||
|
|
|
@ -2856,6 +2856,10 @@ typedef enum hostname_type_t {
|
|||
} hostname_type_t;
|
||||
hostname_type_t parse_extended_hostname(char *address);
|
||||
|
||||
#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
|
||||
int get_pf_socket(void);
|
||||
#endif
|
||||
|
||||
/********************************* connection_or.c ***************************/
|
||||
|
||||
void connection_or_remove_from_identity_map(or_connection_t *conn);
|
||||
|
|
Loading…
Reference in New Issue