Introduce DataDirectoryGroupReadable boolean

4 files changed, 25 insertions, 1 deletions

diff --git a/changes/bug17562-DataDirectoryGroupReadable b/changes/bug17562-DataDirectoryGroupReadable
new file mode 100644
index 0000000000..524e5ef28a
--- /dev/null
+++ b/changes/bug17562-DataDirectoryGroupReadable
@@ -0,0 +1,3 @@
+  o Minor bug fixes:
+    - Introduce DataDirectoryGroupReadable boolean. If set to 1, the
+      DataDirectory will be made readable by the default GID.
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index c5ef054f61..041b000f09 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -353,6 +353,11 @@ GENERAL OPTIONS
 [[DataDirectory]] **DataDirectory** __DIR__::
     Store working data in DIR (Default: @LOCALSTATEDIR@/lib/tor)
 
+[[DataDirectoryGroupReadable]] **DataDirectoryGroupReadable** **0**|**1**::
+    If this option is set to 0, don't allow the filesystem group to read the
+    DataDirectory. If the option is set to 1, make the DataDirectory readable
+    by the default GID. (Default: 0)
+
 [[FallbackDir]] **FallbackDir** __address__:__port__ orport=__port__ id=__fingerprint__ [weight=__num__]::
     When we're unable to connect to any directory cache for directory info
     (usually because we don't know about any yet) we try a FallbackDir.
diff --git a/src/or/config.c b/src/or/config.c
index 8d8c186d9c..d9ba774e7e 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -212,6 +212,7 @@ static config_var_t option_vars_[] = {
   V(CookieAuthFile,              STRING,   NULL),
   V(CountPrivateBandwidth,       BOOL,     "0"),
   V(DataDirectory,               FILENAME, NULL),
+  V(DataDirectoryGroupReadable,  BOOL,     "0"),
   V(DisableNetwork,              BOOL,     "0"),
   V(DirAllowPrivateAddresses,    BOOL,     "0"),
   V(TestingAuthDirTimeToLearnReachability, INTERVAL, "30 minutes"),
@@ -1186,16 +1187,30 @@ options_act_reversible(const or_options_t *old_options, char **msg)
   }
 
   /* Ensure data directory is private; create if possible. */
+  cpd_check_t cpd_group_opts = CPD_NONE;
+  if (options->DataDirectoryGroupReadable)
+      cpd_group_opts = CPD_GROUP_READ;
   if (check_private_dir(options->DataDirectory,
-                        running_tor ? CPD_CREATE : CPD_CHECK,
+                        running_tor ?
+                        CPD_CREATE|cpd_group_opts : CPD_CHECK|cpd_group_opts,
                         options->User)<0) {
     tor_asprintf(msg,
               "Couldn't access/create private data directory \"%s\"",
               options->DataDirectory);
+
     goto done;
     /* No need to roll back, since you can't change the value. */
   }
 
+#ifndef _WIN32
+  if (options->DataDirectoryGroupReadable) {
+    /* Only new dirs created get new opts, also enforce group read. */
+    if (chmod(options->DataDirectory, 0750)) {
+      log_warn(LD_FS,"Unable to make %s group-readable.", options->DataDirectory);
+    }
+  }
+#endif
+
   /* Bail out at this point if we're not going to be a client or server:
    * we don't run Tor itself. */
   if (!running_tor)
diff --git a/src/or/or.h b/src/or/or.h
index 5d02ed7037..945934e271 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -3436,6 +3436,7 @@ typedef struct {
 
   char *DebugLogFile; /**< Where to send verbose log messages. */
   char *DataDirectory; /**< OR only: where to store long-term data. */
+  int DataDirectoryGroupReadable; /**< Boolean: Is the DataDirectory g+r? */
   char *Nickname; /**< OR only: nickname of this onion router. */
   char *Address; /**< OR only: configured address for this onion router. */
   char *PidFile; /**< Where to store PID of Tor process. */