guix-patches
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#47155] [PATCH] gnu: Respect DataDirectoryGroupReadable option of to

From: raid5atemyhomework
Subject: [bug#47155] [PATCH] gnu: Respect DataDirectoryGroupReadable option of tor.
Date: Sat, 27 Mar 2021 11:06:40 +0000 
Hello Maxime,


> > Note in particular that Bitcoin Core supports `ControlPort` and not 
> > `ControlSocket`, so
> > this is needed for Bitcoin Core support. From what I can see more daemons 
> > support
> > `ControlPort` than `ControlSocket`.
>
> Ok, but take a look at
> https://gitlab.torproject.org/legacy/trac/-/wikis/doc/bitcoin.
> Maybe its out of date though: 
> https://blog.torproject.org/tor-heart-cryptocurrencies

The issue is already known, and is mitigated by use of e.g. JoinMarket and 
Wasabi Wallet, when used with proper care to disentangle public coin addresses 
from your own spending.

In my particular case, use of Tor is not for pseudonymity (though if you want I 
can provide a coin address for Bitcoin and you can try donating to it and see 
if you can track me using the described technique, so you can try seeing if it 
actually works against an expert user of Bitcoin), but rather as a replacement 
for my lack of a public IP address --- instead of using a public IP address 
(which my ISP is much too stupid to provide to me unless I get a ***much*** 
higher tier of paid support) I use a Tor hidden service to allow other users to 
connect to my node.

> > Thanks
> > raid5atemyhomework
> > From d9bea7635594654e1e631e4db55422c511f0220a Mon Sep 17 00:00:00 2001
> > From: raid5atemyhomework raid5atemyhomework@protonmail.com
> > Date: Sat, 27 Mar 2021 14:29:31 +0800
> > Subject: [PATCH] gnu: Add 'control-port?' setting to Tor.
> >
> > -   gnu/services/networking.scm (tor-configuration): Add `control-port?` 
> > field.
> >     (tor-configuration->torrc): Support `control-port?` field.
> >     (tor-activation): Allow group access to data directory if 
> > `control-port?`.
> >
> > -   doc/guix.texi (Networking Services)[Tor]: Describe new `control-port?` 
> > field.
>
> Usually we`quote', 'quote', "quote" or ‘quote’, but never`quote`.
> I recommend 'quote', as in
>
> commit 43937666ba6975b6c847be8e67cecd781ce27049
> Author: Ludovic Courtès ludo@gnu.org
> Date: Fri Mar 19 14:23:57 2021 +0100
>
> download: 'tls-wrap' treats premature TLS termination as EOF.
>
> This is a backport of Guile commit
> 076276c4f580368b4106316a77752d69c8f1494a.
>
> * guix/build/download.scm (tls-wrap)[read!]: Wrap 'get-bytevector-n!'
> call in 'catch' and handle 'error/premature-termination' GnuTLS errors.

Okay.

Thaks
raid5atemyhomework

>From d9bea7635594654e1e631e4db55422c511f0220a Mon Sep 17 00:00:00 2001
From: raid5atemyhomework <raid5atemyhomework@protonmail.com>
Date: Sat, 27 Mar 2021 14:29:31 +0800
Subject: [PATCH] gnu: Add 'control-port?' setting to Tor.

* gnu/services/networking.scm (tor-configuration): Add 'control-port?' field.
(tor-configuration->torrc): Support 'control-port?' field.
(tor-activation): Allow group access to data directory if 'control-port?'.
* doc/guix.texi (Networking Services)[Tor]: Describe new 'control-port?' field.
---
 doc/guix.texi               | 13 +++++++++++++
 gnu/services/networking.scm | 24 +++++++++++++++++++++---
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index c23d044ff5..a9c8f930be 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -87,6 +87,7 @@ Copyright @copyright{} 2020 Daniel Brooks@*
 Copyright @copyright{} 2020 John Soo@*
 Copyright @copyright{} 2020 Jonathan Brielmaier@*
 Copyright @copyright{} 2020 Edgar Vincent@*
+Copyright @copyright{} 2021 raid5atemyhomework@*

 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -16676,6 +16677,18 @@ If @code{#t}, Tor will listen for control commands on 
the UNIX domain socket
 @file{/var/run/tor/control-sock}, which will be made writable by members of the
 @code{tor} group.

+@item @code{control-port?} (default: @code{#f})
+Whether or not to provide a ``control port'' by which Tor can be controlled
+to, for instance, dynamically instantiate tor onion services.  This is more
+commonly supported by Tor controllers than using a UNIX domain socket as
+above.  If @code{#t}, Tor will listen for authenticated control commands over
+the control port 9051.  In order to authenticate to this port, Tor controllers
+need to read the cookie file at @file{/var/lib/tor/control_auth_cookie}, which
+will be made readable by members of the @code{tor} group.
+
+This can be set to a number instead, which will make Tor listen for control
+commands over the specified port number.
+
 @end table
 @end deftp

diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 231a9f66c7..a4fbeaadfe 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -747,7 +747,9 @@ demand.")))
   (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix
                      (default 'tcp))
   (control-socket?  tor-control-socket-path
-                    (default #f)))
+                    (default #f))
+  (control-port?    tor-control-port?
+                    (default #f))) ; #f | #t | number

 (define %tor-accounts
   ;; User account and groups for Tor.
@@ -770,7 +772,8 @@ demand.")))
   "Return a 'torrc' file for CONFIG."
   (match config
     (($ <tor-configuration> tor config-file services
-                            socks-socket-type control-socket?)
+                            socks-socket-type control-socket?
+                            control-port?)
      (computed-file
       "torrc"
       (with-imported-modules '((guix build utils))
@@ -795,6 +798,16 @@ UnixSocksGroupWritable 1\n" port))
 ControlSocket unix:/var/run/tor/control-sock GroupWritable RelaxDirModeCheck
 ControlSocketsGroupWritable 1\n"
                            port))
+                (when #$control-port?
+                  (format port
+                          "\
+ControlPort ~a
+CookieAuthentication 1
+CookieAuthFileGroupReadable 1
+DataDirectoryGroupReadable 1\n"
+                          #$(if (eq? control-port? #t)
+                                9051
+                                control-port?)))

                 (for-each (match-lambda
                             ((service (ports hosts) ...)
@@ -884,7 +897,12 @@ HiddenServicePort ~a ~a~%"
       ;; Allow Tor to access the hidden services' directories.
       (mkdir-p "/var/lib/tor")
       (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user))
-      (chmod "/var/lib/tor" #o700)
+      ;; Allow Tor controllers to access the cookie file if control-port?
+      ;; By default this is where Tor puts the cookie file, and most Tor
+      ;; controllers expect this file location (and not on `/var/run/tor`).
+      (chmod "/var/lib/tor" #$(if (tor-control-port? config)
+                                  #o750
+                                  #o700))

       ;; Make sure /var/lib is accessible to the 'tor' user.
       (chmod "/var/lib" #o755)
--
2.31.0
reply via email to
[Prev in Thread] Current Thread [Next in Thread]