1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
|
/* Copyright (c) 2003-2004, Roger Dingledine
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
* Copyright (c) 2007-2019, The Tor Project, Inc. */
/* See LICENSE for licensing information */
/**
* \file restrict.c
* \brief Drop privileges from the current process.
**/
#include "orconfig.h"
#include "lib/process/restrict.h"
#include "lib/intmath/cmp.h"
#include "lib/log/log.h"
#include "lib/log/util_bug.h"
#include "lib/net/socket.h"
#ifdef HAVE_SYS_MMAN_H
#include <sys/mman.h>
#endif
#include <errno.h>
#include <stdlib.h>
#include <string.h>
/* We only use the linux prctl for now. There is no Win32 support; this may
* also work on various BSD systems and Mac OS X - send testing feedback!
*
* On recent Gnu/Linux kernels it is possible to create a system-wide policy
* that will prevent non-root processes from attaching to other processes
* unless they are the parent process; thus gdb can attach to programs that
* they execute but they cannot attach to other processes running as the same
* user. The system wide policy may be set with the sysctl
* kernel.yama.ptrace_scope or by inspecting
* /proc/sys/kernel/yama/ptrace_scope and it is 1 by default on Ubuntu 11.04.
*
* This ptrace scope will be ignored on Gnu/Linux for users with
* CAP_SYS_PTRACE and so it is very likely that root will still be able to
* attach to the Tor process.
*/
/** Attempt to disable debugger attachment: return 1 on success, -1 on
* failure, and 0 if we don't know how to try on this platform. */
int
tor_disable_debugger_attach(void)
{
int r = -1;
log_debug(LD_CONFIG,
"Attemping to disable debugger attachment to Tor for "
"unprivileged users.");
#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) \
&& defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
#define TRIED_TO_DISABLE
r = prctl(PR_SET_DUMPABLE, 0);
#elif defined(__APPLE__) && defined(PT_DENY_ATTACH)
#define TRIED_TO_ATTACH
r = ptrace(PT_DENY_ATTACH, 0, 0, 0);
#endif /* defined(__linux__) && defined(HAVE_SYS_PRCTL_H) ... || ... */
// XXX: TODO - Mac OS X has dtrace and this may be disabled.
// XXX: TODO - Windows probably has something similar
#ifdef TRIED_TO_DISABLE
if (r == 0) {
log_debug(LD_CONFIG,"Debugger attachment disabled for "
"unprivileged users.");
return 1;
} else {
log_warn(LD_CONFIG, "Unable to disable debugger attaching: %s",
strerror(errno));
}
#endif /* defined(TRIED_TO_DISABLE) */
#undef TRIED_TO_DISABLE
return r;
}
#if defined(HAVE_MLOCKALL) && HAVE_DECL_MLOCKALL && defined(RLIMIT_MEMLOCK)
#define HAVE_UNIX_MLOCKALL
#endif
#ifdef HAVE_UNIX_MLOCKALL
/** Attempt to raise the current and max rlimit to infinity for our process.
* This only needs to be done once and can probably only be done when we have
* not already dropped privileges.
*/
static int
tor_set_max_memlock(void)
{
/* Future consideration for Windows is probably SetProcessWorkingSetSize
* This is similar to setting the memory rlimit of RLIMIT_MEMLOCK
* http://msdn.microsoft.com/en-us/library/ms686234(VS.85).aspx
*/
struct rlimit limit;
/* RLIM_INFINITY is -1 on some platforms. */
limit.rlim_cur = RLIM_INFINITY;
limit.rlim_max = RLIM_INFINITY;
if (setrlimit(RLIMIT_MEMLOCK, &limit) == -1) {
if (errno == EPERM) {
log_warn(LD_GENERAL, "You appear to lack permissions to change memory "
"limits. Are you root?");
}
log_warn(LD_GENERAL, "Unable to raise RLIMIT_MEMLOCK: %s",
strerror(errno));
return -1;
}
return 0;
}
#endif /* defined(HAVE_UNIX_MLOCKALL) */
/** Attempt to lock all current and all future memory pages.
* This should only be called once and while we're privileged.
* Like mlockall() we return 0 when we're successful and -1 when we're not.
* Unlike mlockall() we return 1 if we've already attempted to lock memory.
*/
int
tor_mlockall(void)
{
static int memory_lock_attempted = 0;
if (memory_lock_attempted) {
return 1;
}
memory_lock_attempted = 1;
/*
* Future consideration for Windows may be VirtualLock
* VirtualLock appears to implement mlock() but not mlockall()
*
* http://msdn.microsoft.com/en-us/library/aa366895(VS.85).aspx
*/
#ifdef HAVE_UNIX_MLOCKALL
if (tor_set_max_memlock() == 0) {
log_debug(LD_GENERAL, "RLIMIT_MEMLOCK is now set to RLIM_INFINITY.");
}
if (mlockall(MCL_CURRENT|MCL_FUTURE) == 0) {
log_info(LD_GENERAL, "Insecure OS paging is effectively disabled.");
return 0;
} else {
if (errno == ENOSYS) {
/* Apple - it's 2009! I'm looking at you. Grrr. */
log_notice(LD_GENERAL, "It appears that mlockall() is not available on "
"your platform.");
} else if (errno == EPERM) {
log_notice(LD_GENERAL, "It appears that you lack the permissions to "
"lock memory. Are you root?");
}
log_notice(LD_GENERAL, "Unable to lock all current and future memory "
"pages: %s", strerror(errno));
return -1;
}
#else /* !(defined(HAVE_UNIX_MLOCKALL)) */
log_warn(LD_GENERAL, "Unable to lock memory pages. mlockall() unsupported?");
return -1;
#endif /* defined(HAVE_UNIX_MLOCKALL) */
}
/** Number of extra file descriptors to keep in reserve beyond those that we
* tell Tor it's allowed to use. */
#define ULIMIT_BUFFER 32 /* keep 32 extra fd's beyond ConnLimit_ */
/** Learn the maximum allowed number of file descriptors, and tell the
* system we want to use up to that number. (Some systems have a low soft
* limit, and let us set it higher.) We compute this by finding the largest
* number that we can use.
*
* If the limit is below the reserved file descriptor value (ULIMIT_BUFFER),
* return -1 and <b>max_out</b> is untouched.
*
* If we can't find a number greater than or equal to <b>limit</b>, then we
* fail by returning -1 and <b>max_out</b> is untouched.
*
* If we are unable to set the limit value because of setrlimit() failing,
* return 0 and <b>max_out</b> is set to the current maximum value returned
* by getrlimit().
*
* Otherwise, return 0 and store the maximum we found inside <b>max_out</b>
* and set <b>max_sockets</b> with that value as well.*/
int
set_max_file_descriptors(rlim_t limit, int *max_out)
{
if (limit < ULIMIT_BUFFER) {
log_warn(LD_CONFIG,
"ConnLimit must be at least %d. Failing.", ULIMIT_BUFFER);
return -1;
}
/* Define some maximum connections values for systems where we cannot
* automatically determine a limit. Re Cygwin, see
* http://archives.seul.org/or/talk/Aug-2006/msg00210.html
* For an iPhone, 9999 should work. For Windows and all other unknown
* systems we use 15000 as the default. */
#ifndef HAVE_GETRLIMIT
#if defined(CYGWIN) || defined(__CYGWIN__)
const char *platform = "Cygwin";
const unsigned long MAX_CONNECTIONS = 3200;
#elif defined(_WIN32)
const char *platform = "Windows";
const unsigned long MAX_CONNECTIONS = 15000;
#else
const char *platform = "unknown platforms with no getrlimit()";
const unsigned long MAX_CONNECTIONS = 15000;
#endif /* defined(CYGWIN) || defined(__CYGWIN__) || ... */
log_fn(LOG_INFO, LD_NET,
"This platform is missing getrlimit(). Proceeding.");
if (limit > MAX_CONNECTIONS) {
log_warn(LD_CONFIG,
"We do not support more than %lu file descriptors "
"on %s. Tried to raise to %lu.",
(unsigned long)MAX_CONNECTIONS, platform, (unsigned long)limit);
return -1;
}
limit = MAX_CONNECTIONS;
#else /* !(!defined(HAVE_GETRLIMIT)) */
struct rlimit rlim;
if (getrlimit(RLIMIT_NOFILE, &rlim) != 0) {
log_warn(LD_NET, "Could not get maximum number of file descriptors: %s",
strerror(errno));
return -1;
}
if (rlim.rlim_max < limit) {
log_warn(LD_CONFIG,"We need %lu file descriptors available, and we're "
"limited to %lu. Please change your ulimit -n.",
(unsigned long)limit, (unsigned long)rlim.rlim_max);
return -1;
}
if (rlim.rlim_max > rlim.rlim_cur) {
log_info(LD_NET,"Raising max file descriptors from %lu to %lu.",
(unsigned long)rlim.rlim_cur, (unsigned long)rlim.rlim_max);
}
/* Set the current limit value so if the attempt to set the limit to the
* max fails at least we'll have a valid value of maximum sockets. */
*max_out = (int)rlim.rlim_cur - ULIMIT_BUFFER;
set_max_sockets(*max_out);
rlim.rlim_cur = rlim.rlim_max;
if (setrlimit(RLIMIT_NOFILE, &rlim) != 0) {
int couldnt_set = 1;
const int setrlimit_errno = errno;
#ifdef OPEN_MAX
uint64_t try_limit = OPEN_MAX - ULIMIT_BUFFER;
if (errno == EINVAL && try_limit < (uint64_t) rlim.rlim_cur) {
/* On some platforms, OPEN_MAX is the real limit, and getrlimit() is
* full of nasty lies. I'm looking at you, OSX 10.5.... */
rlim.rlim_cur = MIN((rlim_t) try_limit, rlim.rlim_cur);
if (setrlimit(RLIMIT_NOFILE, &rlim) == 0) {
if (rlim.rlim_cur < (rlim_t)limit) {
log_warn(LD_CONFIG, "We are limited to %lu file descriptors by "
"OPEN_MAX (%lu), and ConnLimit is %lu. Changing "
"ConnLimit; sorry.",
(unsigned long)try_limit, (unsigned long)OPEN_MAX,
(unsigned long)limit);
} else {
log_info(LD_CONFIG, "Dropped connection limit to %lu based on "
"OPEN_MAX (%lu); Apparently, %lu was too high and rlimit "
"lied to us.",
(unsigned long)try_limit, (unsigned long)OPEN_MAX,
(unsigned long)rlim.rlim_max);
}
couldnt_set = 0;
}
}
#endif /* defined(OPEN_MAX) */
if (couldnt_set) {
log_warn(LD_CONFIG,"Couldn't set maximum number of file descriptors: %s",
strerror(setrlimit_errno));
}
}
/* leave some overhead for logs, etc, */
limit = rlim.rlim_cur;
#endif /* !defined(HAVE_GETRLIMIT) */
if (limit > INT_MAX)
limit = INT_MAX;
tor_assert(max_out);
*max_out = (int)limit - ULIMIT_BUFFER;
set_max_sockets(*max_out);
return 0;
}
|
