New configuration option: DisableDebuggerAttachment

If set to 1, Tor will attempt to prevent basic debugging
attachment attempts by other processes. (Default: 1)

Supports Mac OS X and Gnu/Linux.

Sebastian provided useful feedback and refactoring suggestions.

Signed-off-by: Jacob Appelbaum <jacob@appelbaum.net>
This commit is contained in:
Jacob Appelbaum 2011-05-30 17:06:51 +02:00
parent 6f200b61b7
commit f79a75f597
4 changed files with 87 additions and 0 deletions

View File

@ -0,0 +1,14 @@
o Minor features:
- If set to 1, Tor will attempt to prevent basic debugging attachment
attempts by other processes. It has no impact for users who wish to
attach if they have CAP_SYS_PTRACE or if they are root. We believe that
this feature works on modern Gnu/Linux distributions, and that it may
also work on *BSD systems (untested). Some modern Gnu/Linux systems such
as Ubuntu have the kernel.yama.ptrace_scope sysctl and by default enable
it as an attempt to limit the PTRACE scope for all user processes by
default. This feature will attempt to limit the PTRACE scope for Tor
specifically - it will not attempt to alter the system wide ptrace scope
as it may not even exist. If you wish to attach to Tor with a debugger
such as gdb or strace you will want to set this to 0 for the duration of
your debugging. Normal users should leave it on. (Default: 1)

View File

@ -251,6 +251,20 @@ Other options can be specified either on the command-line (--option
option requires that you start your Tor as root, and you should use the
**User** option to properly reduce Tor's privileges. (Default: 0)
**DisableDebuggerAttachment** **0**|**1**::
If set to 1, Tor will attempt to prevent basic debugging attachment attempts
by other processes. It has no impact for users who wish to attach if they
have CAP_SYS_PTRACE or if they are root. We believe that this feature
works on modern Gnu/Linux distributions, and that it may also work on *BSD
systems (untested). Some modern Gnu/Linux systems such as Ubuntu have the
kernel.yama.ptrace_scope sysctl and by default enable it as an attempt to
limit the PTRACE scope for all user processes by default. This feature will
attempt to limit the PTRACE scope for Tor specifically - it will not attempt
to alter the system wide ptrace scope as it may not even exist. If you wish
to attach to Tor with a debugger such as gdb or strace you will want to set
this to 0 for the duration of your debugging. Normal users should leave it
on. (Default: 1)
**FetchDirInfoEarly** **0**|**1**::
If set to 1, Tor will always fetch directory information like other
directory caches, even if you don't meet the normal criteria for fetching

View File

@ -40,6 +40,14 @@
#include "procmon.h"
/* Includes for the process attaching prevention */
#if defined(HAVE_SYS_PRCTL_H) && defined(__linux__)
#include <sys/prctl.h>
#elif defined(__APPLE__)
#include <sys/types.h>
#include <sys/ptrace.h>
#endif
/** Enumeration of types which option values can take */
typedef enum config_type_t {
CONFIG_TYPE_STRING = 0, /**< An arbitrary string. */
@ -238,6 +246,7 @@ static config_var_t _option_vars[] = {
V(DirReqStatistics, BOOL, "1"),
VAR("DirServer", LINELIST, DirServers, NULL),
V(DisableAllSwap, BOOL, "0"),
V(DisableDebuggerAttachment, BOOL, "1"),
V(DisableIOCP, BOOL, "1"),
V(DNSPort, PORT, "0"),
V(DNSListenAddress, LINELIST, NULL),
@ -649,6 +658,47 @@ get_dirportfrontpage(void)
return global_dirfrontpagecontents;
}
/* We only use the linux prctl for now. There is no Win32 support; this may
* also work on various BSD systems and Mac OS X - send testing feedback!
*
* On recent Gnu/Linux kernels it is possible to create a system-wide policy
* that will prevent non-root processes from attaching to other processes
* unless they are the parent process; thus gdb can attach to programs that
* they execute but they cannot attach to other processes running as the same
* user. The system wide policy may be set with the sysctl
* kernel.yama.ptrace_scope or by inspecting /proc/sys/kernel/yama/ptrace_scope
* and it is 1 by default on Ubuntu 11.04.
*
* This ptrace scope will be ignored on Gnu/Linux for users with
* CAP_SYS_PTRACE and so it is very likely that root will still be able to
* attach to the Tor process.
*/
/** Attempt to disable debugger attachment. */
static int tor_disable_debugger_attach(void) {
int r;
r = -1;
log_debug(LD_CONFIG,
"Attemping to disable debugger attachment to Tor for unprivileged users.");
#if defined(__linux__) && defined(HAVE_SYS_PRCTL_H) && defined(HAVE_PRCTL)
#ifdef PR_SET_DUMPABLE
r = prctl(PR_SET_DUMPABLE, 0);
#endif
#endif
#if defined(__APPLE__) && defined(PT_DENY_ATTACH)
r = ptrace(PT_DENY_ATTACH, 0, 0, 0);
#endif
// XXX: TODO - Mac OS X has dtrace and this may be disabled - implement it here
// XXX: TODO - Windows probably has something similar - implement it here
if (r == 0) {
log_debug(LD_CONFIG,"Debugger attachment disabled for unprivileged users.");
} else {
log_warn(LD_CONFIG, "Unable to disable ptrace attach: %s",
strerror(errno));
}
return r;
}
/** Allocate an empty configuration object of a given format type. */
static void *
config_alloc(config_format_t *fmt)
@ -1195,6 +1245,13 @@ options_act(or_options_t *old_options)
int running_tor = options->command == CMD_RUN_TOR;
char *msg;
/* disable ptrace and later, other basic debugging techniques */
if (options->DisableDebuggerAttachment) {
tor_disable_debugger_attach();
} else {
log_notice(LD_CONFIG,"Debugger attachment enabled for unprivileged users.");
}
if (running_tor && !have_lockfile()) {
if (try_locking(options, 1) < 0)
return -1;

View File

@ -2900,6 +2900,8 @@ typedef struct {
disclaimer. This allows a server administrator to show
that they're running Tor and anyone visiting their server
will know this without any specialized knowledge. */
int DisableDebuggerAttachment; /**< Currently Linux only specific attempt to
disable ptrace; needs BSD testing. */
/** Boolean: if set, we start even if our resolv.conf file is missing
* or broken. */
int ServerDNSAllowBrokenConfig;