aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--community/tor/APKBUILD26
-rw-r--r--community/tor/tor.confd12
-rw-r--r--community/tor/tor.initd58
-rw-r--r--community/tor/tor.post-upgrade21
-rw-r--r--community/tor/torrc.sample.patch27
5 files changed, 113 insertions, 31 deletions
diff --git a/community/tor/APKBUILD b/community/tor/APKBUILD
index fec3d79804..3fcc9498a1 100644
--- a/community/tor/APKBUILD
+++ b/community/tor/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Sam Dodrill <shadow.h511@gmail.com>
pkgname=tor
pkgver=0.2.8.7
-pkgrel=0
+pkgrel=1
pkgdesc="Anonymous network connectivity"
url="https://www.torproject.org"
arch="all"
@@ -10,11 +10,12 @@ license="BSD"
pkgusers="tor"
depends=""
makedepends="linux-headers bash libevent-dev openssl-dev ca-certificates"
-install="$pkgname.pre-install"
+install="$pkgname.post-upgrade $pkgname.pre-install"
subpackages="$pkgname-doc"
source="https://www.torproject.org/dist/$pkgname-$pkgver.tar.gz
tor.initd
- tor.confd"
+ tor.confd
+ torrc.sample.patch"
builddir="$srcdir/$pkgname-$pkgver"
build() {
@@ -37,10 +38,6 @@ package() {
make DESTDIR="$pkgdir" install || return 1
- # Uncomment logging to file.
- sed -Ei 's/^#*(Log notice file.*)/\1/' \
- "$pkgdir"/etc/tor/torrc.sample || return 1
-
install -dm755 -o $pkgusers \
"$pkgdir"/var/lib/$pkgname \
"$pkgdir"/var/log/$pkgname || return 1
@@ -52,11 +49,14 @@ package() {
}
md5sums="59771fe2d098893fe955edfb8b13401f tor-0.2.8.7.tar.gz
-fb939d073a7a51e9814c10d1aabec0ce tor.initd
-e05a796ffc4981c22c167de11fa36ef9 tor.confd"
+1cecd1e1d7765128a35995c0b1a02d38 tor.initd
+9e3f6716ba5a50bd0d4d5643dea124d9 tor.confd
+4f5eaefecd46503afe7d6fd22875b775 torrc.sample.patch"
sha256sums="ae44e2b699e82db7ff318432fd558dfa941ad154e4055f16d208514951742fc6 tor-0.2.8.7.tar.gz
-04800394384a6ce4cad13bb1ffb8650a7ce799a574d897c0166180c19dd34f88 tor.initd
-41d780f291847e19f632428bbf27c3f289414afd237546d2974da1b75384c25c tor.confd"
+b6619d72d4f99e956328a555ea495e82d9f0b578e3697bbcbca80379df9f4c3f tor.initd
+864d7ff6c8a6b06734c3f314365304c6ba8b3b893e8f29ed5f6fb9869e647b4b tor.confd
+c1a7a5fab97ff328daf86fe4d2d2c7bc4580ba43d860d77c0b3f451525d6d058 torrc.sample.patch"
sha512sums="79156110804497509564d53a806dc8237e97755556bbaaed83d0f6a3470942a480e53693a7192996bad2b33fe1f77f60eb45e8122af9bfdc4a8f12b943cbc660 tor-0.2.8.7.tar.gz
-8dd2f56697b730881fa7e67088b0860a753fb7c3dad9eb3d2af6eb7b9cfa10aaaf01628e65cb139d423bdb97075b4b5fa72e44ffc80ea3f810ceff6429ec3d2a tor.initd
-9028ac41e3acdf4405095addb69537e87edecafaec840296ac27a5a8992fe132dc822e4e4abb8826f76460c438da2719dea17859690d03e17198a82086a3d660 tor.confd"
+6de4ada16ba58264a247da70343eabd763e992d6b6683977fc1c67b7b4a9731748a7ec9751e869ad4b4ae9c72cf71b2e12dc289bb6e2aee499917f7663f4a735 tor.initd
+2b0de119bfdf9eb57e13317b7392190b1b8272c8f96023c71d3fc29215d887e9a3d0ffcef37cdb50b18d34e4b2251f75a739e258e0bb72aabd3339418b22fd67 tor.confd
+da386ff7e387312e647f04d360517a1f4cb1efbee36f4a3a6feb89a979bb12fa350fe6dfed49af0cb076ae30bb0c527b5d54127683eaa5aa45d6940dddd89dfb torrc.sample.patch"
diff --git a/community/tor/tor.confd b/community/tor/tor.confd
index 4195bf3237..38a482cac9 100644
--- a/community/tor/tor.confd
+++ b/community/tor/tor.confd
@@ -1,3 +1,13 @@
-#
+# Location of the torrc configuration file.
+#conffile="/etc/tor/torrc"
+
+# User to start the tor daemon.
+# If "User" directive is set in $conffile, then this option is ignored (i.e.
+# tor is started under root, but it setuids to the specified User after start).
+#user="tor"
+
+# Timeout for gracefulstop
+#graceful_timeout="60"
+
# Set the file limit
rc_ulimit="-n 30000"
diff --git a/community/tor/tor.initd b/community/tor/tor.initd
index 99ec8ae853..db8b2cff81 100644
--- a/community/tor/tor.initd
+++ b/community/tor/tor.initd
@@ -1,27 +1,23 @@
#!/sbin/openrc-run
-conffile="/etc/tor/torrc"
-pidfile="/run/tor/tor.pid"
-user="${user:-tor}"
-graceful_timeout="${GRACEFUL_TIMEOUT:-60}"
+: ${conffile:="/etc/tor/torrc"}
+: ${user:="tor"}
+: ${graceful_timeout:="${GRACEFUL_TIMEOUT:-60}"}
command="/usr/bin/tor"
-command_args="-f $conffile"
+command_args="-f $conffile --runasdaemon 0"
command_background="yes"
-start_stop_daemon_args="
- --user $user
- --chdir /var/lib/tor
- --env HOME=/var/lib/tor"
+start_stop_daemon_args="--chdir /var/lib/tor"
+pidfile="/run/tor/tor.pid"
-# See bug #523552, and https://trac.torproject.org/projects/tor/ticket/5525
-# Graceful = wait 30 secs or so until all connections are properly closed.
extra_commands="checkconfig"
-extra_started_commands="graceful gracefulstop reload"
+extra_started_commands="gracefulstop reload"
description="Anonymizing overlay network for TCP"
description_checkconfig="Check if config file is valid."
description_reload="Reload the configuration."
-description_gracefulstop="Gracefully stop."
+# See bug #523552, and https://trac.torproject.org/projects/tor/ticket/5525
+description_gracefulstop="Gracefully stop (wait $gracefulstop until all connections are properly closed)."
depend() {
@@ -36,15 +32,35 @@ checkconfig() {
fi
# Now verify whether the configuration is valid.
- if ! $command --verify-config -f "$conffile" 2>&1 1>/dev/null; then
- eerror "Tor configuration (${conffile}) not valid"
- $command --verify-config -f "$conffile"
- return 1
+ # If User directive is set in $conffile, then we must run tor as root,
+ # even --verify-config, otherwise it fails when verifying permissions
+ # of DataDirectory.
+ if conf_has User; then
+ local user="root"
fi
+ local out
+ out="$(su -s /bin/sh -c "$command $command_args --verify-config" $user 2>&1)" || {
+ eerror "Tor configuration $conffile is not valid"
+ printf '%s\n' "$out"
+ return 1
+ }
}
start_pre() {
checkconfig || return 1
+
+ # If User directive is set in $conffile, start tor as root and let it
+ # drop privileges itself (may be needed e.g. to bind to a privileged
+ # port). Otherwise run tor as $user (recommended).
+ if conf_has User; then
+ local user="$(conf_get User)"
+ else
+ start_stop_daemon_args="$start_stop_daemon_args --user $user"
+ fi
+
+ if conf_has DataDirectory; then
+ checkpath -d -m 0700 -o "$user" "$(conf_get DataDirectory)"
+ fi
checkpath -d -m 0755 -o "$user" "$(dirname "$pidfile")"
}
@@ -66,3 +82,11 @@ reload() {
start-stop-daemon --signal HUP --pidfile "$pidfile"
eend $?
}
+
+conf_get() {
+ sed -n "s/^\s*$1 \([^#]*\)/\1/p" "$conffile"
+}
+
+conf_has() {
+ grep -q "^\s*$1 " "$conffile"
+}
diff --git a/community/tor/tor.post-upgrade b/community/tor/tor.post-upgrade
new file mode 100644
index 0000000000..ff00aab782
--- /dev/null
+++ b/community/tor/tor.post-upgrade
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+ver_new="$1"
+ver_old="$2"
+
+if [ "$(apk version -t "$ver_old" "0.2.8.7-r0")" = "<" ]; then
+ cat 1>&2 <<-EOF
+ *
+ * Tor runscript has been updated to start tor under unprivileged user "tor"
+ * by default. If it fails to start due to permissions error, then change owner
+ * of files in the DataDirectory (default is /var/lib/tor) to the tor user:
+ * chown -R tor /var/lib/tor
+ *
+ * If you need tor to bind a privileged port (e.g. 80), then add "User tor"
+ * to /etc/tor/torrc. Tor will be started under root, but then setuid to the
+ * tor user and drop privileges.
+ *
+ EOF
+fi
+
+exit 0
diff --git a/community/tor/torrc.sample.patch b/community/tor/torrc.sample.patch
new file mode 100644
index 0000000000..3360e9857f
--- /dev/null
+++ b/community/tor/torrc.sample.patch
@@ -0,0 +1,27 @@
+--- a/src/config/torrc.sample.in
++++ b/src/config/torrc.sample.in
+@@ -35,7 +35,7 @@
+ ## may provide sensitive information to an attacker who obtains the logs.
+ ##
+ ## Send all messages of level 'notice' or higher to @LOCALSTATEDIR@/log/tor/notices.log
+-#Log notice file @LOCALSTATEDIR@/log/tor/notices.log
++Log notice file @LOCALSTATEDIR@/log/tor/notices.log
+ ## Send every possible message to @LOCALSTATEDIR@/log/tor/debug.log
+ #Log debug file @LOCALSTATEDIR@/log/tor/debug.log
+ ## Use the system log instead of Tor's logfiles
+@@ -43,14 +43,9 @@
+ ## To send all messages to stderr:
+ #Log debug stderr
+
+-## Uncomment this to start the process in the background... or use
+-## --runasdaemon 1 on the command line. This is ignored on Windows;
+-## see the FAQ entry if you want Tor to run as an NT service.
+-#RunAsDaemon 1
+-
+ ## The directory for keeping all the keys/etc. By default, we store
+ ## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+-#DataDirectory @LOCALSTATEDIR@/lib/tor
++DataDirectory @LOCALSTATEDIR@/lib/tor
+
+ ## The port on which Tor will listen for local connections from Tor
+ ## controller applications, as documented in control-spec.txt.