GNU bug report logs - #57222
Guix Tor service needs a little more authority

Previous Next

Package: guix;

Reported by: Tobias Geerinckx-Rice <me <at> tobias.gr>

Date: Mon, 15 Aug 2022 11:57:02 UTC

Severity: normal

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Tobias Geerinckx-Rice <me <at> tobias.gr>
To: Bug reports for GNU Guix <bug-guix <at> gnu.org>
Subject: Guix Tor service needs a little more authority
Date: Mon, 15 Aug 2022 13:15:30 +0200

[Message part 1 (text/plain, inline)]
Hi all,

I recently found my Tor nodes dead, unable to bind to their port 
with a confusing ‘permission denied’ error.

This was caused by a regression in Guix's Tor service: it now uses 
‘least-authority-wrapper’, meaning that it… well, hasn't the 
authority to bind to all ports.  Oops.

Even today, (some, well-known) low ports are firewalled/flagged 
noticeably less than higher ones.  Thankfully, DPI isn't the norm 
yet.

Reverting commit fb868cd7794f15e21298e5bdea996fbf0dad17ca fixes 
this.

Our service wasn't insecure before: Tor expects to be started as 
root and drop privileges through the torrc ‘User’ directive, not 
the way Guix now does it through namespaces.

Still, I'll take a stab at relaxing the service's POLA parameters 
to allow this, hoping to get the best of both worlds, but this is 
new territory to me.  Maybe that's not possible.

Kind regards,

T G-R

[signature.asc (application/pgp-signature, inline)]
This bug report was last modified 2 years and 305 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.