From patchwork Sat Mar 27 11:06:40 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: raid5atemyhomework X-Patchwork-Id: 28135 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 00B4927BC5D; Sat, 27 Mar 2021 11:07:11 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 02CA027BC5C for ; Sat, 27 Mar 2021 11:07:11 +0000 (GMT) Received: from localhost ([::1]:38582 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lQ6mc-0000j1-4I for patchwork@mira.cbaines.net; Sat, 27 Mar 2021 07:07:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:58676) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lQ6mU-0000ir-9p for guix-patches@gnu.org; Sat, 27 Mar 2021 07:07:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:60174) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lQ6mU-00047l-2G for guix-patches@gnu.org; Sat, 27 Mar 2021 07:07:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lQ6mT-0005Ct-Sr for guix-patches@gnu.org; Sat, 27 Mar 2021 07:07:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47155] [PATCH] gnu: Respect DataDirectoryGroupReadable option of tor. Resent-From: raid5atemyhomework Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sat, 27 Mar 2021 11:07:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47155 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Maxime Devos Cc: "47155@debbugs.gnu.org" <47155@debbugs.gnu.org> Received: via spool by 47155-submit@debbugs.gnu.org id=B47155.161684321820006 (code B ref 47155); Sat, 27 Mar 2021 11:07:01 +0000 Received: (at 47155) by debbugs.gnu.org; 27 Mar 2021 11:06:58 +0000 Received: from localhost ([127.0.0.1]:43487 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ6mP-0005Cb-FE for submit@debbugs.gnu.org; Sat, 27 Mar 2021 07:06:57 -0400 Received: from mail4.protonmail.ch ([185.70.40.27]:62407) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lQ6mM-0005CM-V8 for 47155@debbugs.gnu.org; Sat, 27 Mar 2021 07:06:56 -0400 Date: Sat, 27 Mar 2021 11:06:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1616843207; bh=yxSF17ouXL6N71U9mxCLv6AgIKb0xeD9f4U8jyPxrVw=; h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From; b=e9oZoxjYDLHTZPaPo/KkSxsAbjDd0c67M1tQZQC+ERXLQ1qMn6e7Ayw5gTOG11Uh+ +FajCHgzoI7eZIseHCJQyPAGA593m7dUxgrPDkWnm86305pJM812meHc+frElFqw3M ZIZ2pMIMpRJtJv+jC5afKTR/sWDc/nn+uLBvyqbQ= Message-ID: In-Reply-To: <2385f734152be7ed5351bc07dcc7d77e5f22efd0.camel@telenet.be> References: <2385f734152be7ed5351bc07dcc7d77e5f22efd0.camel@telenet.be> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" Reply-to: raid5atemyhomework X-ACL-Warn: , raid5atemyhomework via Guix-patches X-Patchwork-Original-From: raid5atemyhomework via Guix-patches via From: raid5atemyhomework X-getmail-retrieved-from-mailbox: Patches Hello Maxime, > > Note in particular that Bitcoin Core supports `ControlPort` and not `ControlSocket`, so > > this is needed for Bitcoin Core support. From what I can see more daemons support > > `ControlPort` than `ControlSocket`. > > Ok, but take a look at > https://gitlab.torproject.org/legacy/trac/-/wikis/doc/bitcoin. > Maybe its out of date though: https://blog.torproject.org/tor-heart-cryptocurrencies The issue is already known, and is mitigated by use of e.g. JoinMarket and Wasabi Wallet, when used with proper care to disentangle public coin addresses from your own spending. In my particular case, use of Tor is not for pseudonymity (though if you want I can provide a coin address for Bitcoin and you can try donating to it and see if you can track me using the described technique, so you can try seeing if it actually works against an expert user of Bitcoin), but rather as a replacement for my lack of a public IP address --- instead of using a public IP address (which my ISP is much too stupid to provide to me unless I get a ***much*** higher tier of paid support) I use a Tor hidden service to allow other users to connect to my node. > > Thanks > > raid5atemyhomework > > From d9bea7635594654e1e631e4db55422c511f0220a Mon Sep 17 00:00:00 2001 > > From: raid5atemyhomework raid5atemyhomework@protonmail.com > > Date: Sat, 27 Mar 2021 14:29:31 +0800 > > Subject: [PATCH] gnu: Add 'control-port?' setting to Tor. > > > > - gnu/services/networking.scm (tor-configuration): Add `control-port?` field. > > (tor-configuration->torrc): Support `control-port?` field. > > (tor-activation): Allow group access to data directory if `control-port?`. > > > > - doc/guix.texi (Networking Services)[Tor]: Describe new `control-port?` field. > > Usually we`quote', 'quote', "quote" or ‘quote’, but never`quote`. > I recommend 'quote', as in > > commit 43937666ba6975b6c847be8e67cecd781ce27049 > Author: Ludovic Courtès ludo@gnu.org > Date: Fri Mar 19 14:23:57 2021 +0100 > > download: 'tls-wrap' treats premature TLS termination as EOF. > > This is a backport of Guile commit > 076276c4f580368b4106316a77752d69c8f1494a. > > * guix/build/download.scm (tls-wrap)[read!]: Wrap 'get-bytevector-n!' > call in 'catch' and handle 'error/premature-termination' GnuTLS errors. Okay. Thaks raid5atemyhomework From d9bea7635594654e1e631e4db55422c511f0220a Mon Sep 17 00:00:00 2001 From: raid5atemyhomework Date: Sat, 27 Mar 2021 14:29:31 +0800 Subject: [PATCH] gnu: Add 'control-port?' setting to Tor. * gnu/services/networking.scm (tor-configuration): Add 'control-port?' field. (tor-configuration->torrc): Support 'control-port?' field. (tor-activation): Allow group access to data directory if 'control-port?'. * doc/guix.texi (Networking Services)[Tor]: Describe new 'control-port?' field. --- doc/guix.texi | 13 +++++++++++++ gnu/services/networking.scm | 24 +++++++++++++++++++++--- 2 files changed, 34 insertions(+), 3 deletions(-) -- 2.31.0 diff --git a/doc/guix.texi b/doc/guix.texi index c23d044ff5..a9c8f930be 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -87,6 +87,7 @@ Copyright @copyright{} 2020 Daniel Brooks@* Copyright @copyright{} 2020 John Soo@* Copyright @copyright{} 2020 Jonathan Brielmaier@* Copyright @copyright{} 2020 Edgar Vincent@* +Copyright @copyright{} 2021 raid5atemyhomework@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -16676,6 +16677,18 @@ If @code{#t}, Tor will listen for control commands on the UNIX domain socket @file{/var/run/tor/control-sock}, which will be made writable by members of the @code{tor} group. +@item @code{control-port?} (default: @code{#f}) +Whether or not to provide a ``control port'' by which Tor can be controlled +to, for instance, dynamically instantiate tor onion services. This is more +commonly supported by Tor controllers than using a UNIX domain socket as +above. If @code{#t}, Tor will listen for authenticated control commands over +the control port 9051. In order to authenticate to this port, Tor controllers +need to read the cookie file at @file{/var/lib/tor/control_auth_cookie}, which +will be made readable by members of the @code{tor} group. + +This can be set to a number instead, which will make Tor listen for control +commands over the specified port number. + @end table @end deftp diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 231a9f66c7..a4fbeaadfe 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -747,7 +747,9 @@ demand."))) (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix (default 'tcp)) (control-socket? tor-control-socket-path - (default #f))) + (default #f)) + (control-port? tor-control-port? + (default #f))) ; #f | #t | number (define %tor-accounts ;; User account and groups for Tor. @@ -770,7 +772,8 @@ demand."))) "Return a 'torrc' file for CONFIG." (match config (($ tor config-file services - socks-socket-type control-socket?) + socks-socket-type control-socket? + control-port?) (computed-file "torrc" (with-imported-modules '((guix build utils)) @@ -795,6 +798,16 @@ UnixSocksGroupWritable 1\n" port)) ControlSocket unix:/var/run/tor/control-sock GroupWritable RelaxDirModeCheck ControlSocketsGroupWritable 1\n" port)) + (when #$control-port? + (format port + "\ +ControlPort ~a +CookieAuthentication 1 +CookieAuthFileGroupReadable 1 +DataDirectoryGroupReadable 1\n" + #$(if (eq? control-port? #t) + 9051 + control-port?))) (for-each (match-lambda ((service (ports hosts) ...) @@ -884,7 +897,12 @@ HiddenServicePort ~a ~a~%" ;; Allow Tor to access the hidden services' directories. (mkdir-p "/var/lib/tor") (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user)) - (chmod "/var/lib/tor" #o700) + ;; Allow Tor controllers to access the cookie file if control-port? + ;; By default this is where Tor puts the cookie file, and most Tor + ;; controllers expect this file location (and not on `/var/run/tor`). + (chmod "/var/lib/tor" #$(if (tor-control-port? config) + #o750 + #o700)) ;; Make sure /var/lib is accessible to the 'tor' user. (chmod "/var/lib" #o755)