From 08c7ceb5dff3db5ba28de8370bae23f4bf6ec444 Mon Sep 17 00:00:00 2001 From: Jamie Nguyen Date: Fri, 13 Nov 2015 14:17:02 +0000 Subject: [PATCH] Permit filesystem group to be root --- changes/bug17562-allow-root-group-read | 6 ++++++ src/common/util.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 changes/bug17562-allow-root-group-read diff --git a/changes/bug17562-allow-root-group-read b/changes/bug17562-allow-root-group-read new file mode 100644 index 0000000000..7a0903c662 --- /dev/null +++ b/changes/bug17562-allow-root-group-read @@ -0,0 +1,6 @@ + o Minor bug fixes: + - If any directory created by Tor is marked as group readable, the + filesystem group is allowed to be either the default GID or the root + user. Allowing root to read the DataDirectory prevents the need for + CAP_READ_SEARCH when using systemd's CapabilityBoundingSet, or + dac_read_search when using SELinux. diff --git a/src/common/util.c b/src/common/util.c index ce3646cd64..6d522de434 100644 --- a/src/common/util.c +++ b/src/common/util.c @@ -2143,7 +2143,7 @@ check_private_dir(const char *dirname, cpd_check_t check, return -1; } if ( (check & (CPD_GROUP_OK|CPD_GROUP_READ)) - && (st.st_gid != running_gid) ) { + && (st.st_gid != running_gid) && (st.st_gid != 0)) { struct group *gr; char *process_groupname = NULL; gr = getgrgid(running_gid);