bug-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#57222: Guix Tor service needs a little more authority


From: Tobias Geerinckx-Rice
Subject: bug#57222: Guix Tor service needs a little more authority
Date: Mon, 15 Aug 2022 13:15:30 +0200

Hi all,

I recently found my Tor nodes dead, unable to bind to their port with a confusing ‘permission denied’ error.

This was caused by a regression in Guix's Tor service: it now uses ‘least-authority-wrapper’, meaning that it… well, hasn't the authority to bind to all ports. Oops.

Even today, (some, well-known) low ports are firewalled/flagged noticeably less than higher ones. Thankfully, DPI isn't the norm yet.

Reverting commit fb868cd7794f15e21298e5bdea996fbf0dad17ca fixes this.

Our service wasn't insecure before: Tor expects to be started as root and drop privileges through the torrc ‘User’ directive, not the way Guix now does it through namespaces.

Still, I'll take a stab at relaxing the service's POLA parameters to allow this, hoping to get the best of both worlds, but this is new territory to me. Maybe that's not possible.

Kind regards,

T G-R

Attachment: signature.asc
Description: PGP signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]