Backport r16450 to 0.2.0.x: open /dev/pf before dropping privileges.
svn:r16726
This commit is contained in:
parent
278a89d75a
commit
6784c9e314
|
@ -22,6 +22,10 @@ Changes in version 0.2.0.31 - 2008-08-??
|
||||||
trying session resumption at this point, but apparently some
|
trying session resumption at this point, but apparently some
|
||||||
did, in ways that caused the handshake to fail. Bugfix on
|
did, in ways that caused the handshake to fail. Bugfix on
|
||||||
0.2.0.20-rc. Bug found by Geoff Goodell.
|
0.2.0.20-rc. Bug found by Geoff Goodell.
|
||||||
|
- When using the TransPort option on OpenBSD, and using the User
|
||||||
|
option to change UID and drop privileges, make sure to open
|
||||||
|
/dev/pf before dropping privileges. Fixes bug 782. Patch from
|
||||||
|
Christopher Davis. Bugfix on 0.1.2.1-alpha.
|
||||||
|
|
||||||
|
|
||||||
Changes in version 0.2.0.30 - 2008-07-15
|
Changes in version 0.2.0.30 - 2008-07-15
|
||||||
|
|
|
@ -11,7 +11,7 @@ Backport for 0.2.0 once better tested:
|
||||||
o r15821: fix bug related to TLS session negotiation.
|
o r15821: fix bug related to TLS session negotiation.
|
||||||
o r16136: prevent circid collision. [Also backport to 0.1.2.x??]
|
o r16136: prevent circid collision. [Also backport to 0.1.2.x??]
|
||||||
- r16143: generate stream close events from connection_edge_destroy().
|
- r16143: generate stream close events from connection_edge_destroy().
|
||||||
- r16450: open /dev/pf before dropping privileges.
|
o r16450: open /dev/pf before dropping privileges.
|
||||||
- r16605: relays reject risky extend cells.
|
- r16605: relays reject risky extend cells.
|
||||||
- r16698: don't use a new entry guard that's also your exit.
|
- r16698: don't use a new entry guard that's also your exit.
|
||||||
|
|
||||||
|
|
|
@ -1022,6 +1022,16 @@ options_act_reversible(or_options_t *old_options, char **msg)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
|
||||||
|
/* Open /dev/pf before dropping privileges. */
|
||||||
|
if (options->TransPort) {
|
||||||
|
if (get_pf_socket() < 0) {
|
||||||
|
*msg = tor_strdup("Unable to open /dev/pf for transparent proxy.");
|
||||||
|
goto rollback;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Setuid/setgid as appropriate */
|
/* Setuid/setgid as appropriate */
|
||||||
if (options->User || options->Group) {
|
if (options->User || options->Group) {
|
||||||
/* XXXX021 We should only do this the first time through, not on
|
/* XXXX021 We should only do this the first time through, not on
|
||||||
|
|
|
@ -1636,11 +1636,11 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
|
||||||
|
|
||||||
#ifdef TRANS_PF
|
#ifdef TRANS_PF
|
||||||
static int pf_socket = -1;
|
static int pf_socket = -1;
|
||||||
static int
|
int
|
||||||
get_pf_socket(void)
|
get_pf_socket(void)
|
||||||
{
|
{
|
||||||
int pf;
|
int pf;
|
||||||
/* Ideally, this should be opened before dropping privs. */
|
/* This should be opened before dropping privs. */
|
||||||
if (pf_socket >= 0)
|
if (pf_socket >= 0)
|
||||||
return pf_socket;
|
return pf_socket;
|
||||||
|
|
||||||
|
|
|
@ -2856,6 +2856,10 @@ typedef enum hostname_type_t {
|
||||||
} hostname_type_t;
|
} hostname_type_t;
|
||||||
hostname_type_t parse_extended_hostname(char *address);
|
hostname_type_t parse_extended_hostname(char *address);
|
||||||
|
|
||||||
|
#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
|
||||||
|
int get_pf_socket(void);
|
||||||
|
#endif
|
||||||
|
|
||||||
/********************************* connection_or.c ***************************/
|
/********************************* connection_or.c ***************************/
|
||||||
|
|
||||||
void connection_or_remove_from_identity_map(or_connection_t *conn);
|
void connection_or_remove_from_identity_map(or_connection_t *conn);
|
||||||
|
|
Loading…
Reference in New Issue