bug#57222: Guix Tor service needs a little more authority

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#57222: Guix Tor service needs a little more authority

From:	Tobias Geerinckx-Rice
Subject:	bug#57222: Guix Tor service needs a little more authority
Date:	Mon, 15 Aug 2022 13:15:30 +0200

Hi all,

I recently found my Tor nodes dead, unable to bind to their portwith a confusing ‘permission denied’ error.

This was caused by a regression in Guix's Tor service: it now uses‘least-authority-wrapper’, meaning that it… well, hasn't theauthority to bind to all ports. Oops.

Even today, (some, well-known) low ports are firewalled/flaggednoticeably less than higher ones. Thankfully, DPI isn't the normyet.

Reverting commit fb868cd7794f15e21298e5bdea996fbf0dad17ca fixesthis.

Our service wasn't insecure before: Tor expects to be started asroot and drop privileges through the torrc ‘User’ directive, notthe way Guix now does it through namespaces.

Still, I'll take a stab at relaxing the service's POLA parametersto allow this, hoping to get the best of both worlds, but this isnew territory to me. Maybe that's not possible.


Kind regards,

T G-R

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

bug#57222: Guix Tor service needs a little more authority, Tobias Geerinckx-Rice <=

Prev by Date: bug#57189: guix import crate fails if optional dependency has a missing version
Next by Date: bug#57215: ci: Fail to evaluate Guix specification
Previous by thread: bug#57189: guix import crate fails if optional dependency has a missing version
Next by thread: bug#57225: emacs-build-system doesn't build .texi manual for a package.
Index(es):
- Date
- Thread