diff options
| author |  Joey Hess <joeyh@joeyh.name> | 2016-12-20 16:01:10 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2016-12-20 16:24:46 -0400 |
| commit | e493cbaace4651d5e7da26834ab108cfae3df1dc (patch) | |
| tree | c6c0ae6c9f7f3166a6fd29a28f08055fcb48a840 /RemoteDaemon | |
| parent | d4a2f8c92ce3afe9b670938480a12d9c84566bfc (diff) | |
relocate tor socket out of /etc
weasel explained that apparmor limits on what files tor can read do not
apply to sockets (because they're not files). And apparently the
problems I was seeing with hidden services not being accessible had to
do with onion address propigation and not the location of the socket
file.
remotedaemon looks up the HiddenServicePort in torrc, so if it was
previously configured with the socket in /etc, that will still work.
This commit was sponsored by Denis Dzyubenko on Patreon.
Diffstat (limited to 'RemoteDaemon')
| -rw-r--r-- | RemoteDaemon/Transport/Tor.hs | 61 |
1 files changed, 33 insertions, 28 deletions
diff --git a/RemoteDaemon/Transport/Tor.hs b/RemoteDaemon/Transport/Tor.hs index 61e1189a5..3f70fb1fb 100644 --- a/RemoteDaemon/Transport/Tor.hs +++ b/RemoteDaemon/Transport/Tor.hs @@ -39,36 +39,41 @@ import qualified Network.Socket as S server :: TransportHandle -> IO () server th@(TransportHandle (LocalRepo r) _) = do u <- liftAnnex th getUUID - - q <- newTBMQueueIO maxConnections - replicateM_ maxConnections $ - forkIO $ forever $ serveClient th u r q - uid <- getRealUserID let ident = fromUUID u - let sock = hiddenServiceSocketFile uid ident - nukeFile sock - soc <- S.socket S.AF_UNIX S.Stream S.defaultProtocol - S.bind soc (S.SockAddrUnix sock) - -- Allow everyone to read and write to the socket; tor is probably - -- running as a different user. Connections have to authenticate - -- to do anything, so it's fine that other local users can connect. - modifyFileMode sock $ addModes - [groupReadMode, groupWriteMode, otherReadMode, otherWriteMode] - S.listen soc 2 - debugM "remotedaemon" "Tor hidden service running" - forever $ do - (conn, _) <- S.accept soc - h <- setupHandle conn - ok <- atomically $ ifM (isFullTBMQueue q) - ( return False - , do - writeTBMQueue q h - return True - ) - unless ok $ do - hClose h - warningIO "dropped Tor connection, too busy" + go u =<< getHiddenServiceSocketFile uid ident + where + go u (Just sock) = do + q <- newTBMQueueIO maxConnections + replicateM_ maxConnections $ + forkIO $ forever $ serveClient th u r q + + nukeFile sock + soc <- S.socket S.AF_UNIX S.Stream S.defaultProtocol + S.bind soc (S.SockAddrUnix sock) + -- Allow everyone to read and write to the socket; tor + -- is probably running as a different user. + -- Connections have to authenticate to do anything, + -- so it's fine that other local users can connect to the + -- socket. + modifyFileMode sock $ addModes + [groupReadMode, groupWriteMode, otherReadMode, otherWriteMode] + + S.listen soc 2 + debugM "remotedaemon" "Tor hidden service running" + forever $ do + (conn, _) <- S.accept soc + h <- setupHandle conn + ok <- atomically $ ifM (isFullTBMQueue q) + ( return False + , do + writeTBMQueue q h + return True + ) + unless ok $ do + hClose h + warningIO "dropped Tor connection, too busy" + go _ Nothing = debugM "remotedaemon" "Tor hidden service not enabled" -- How many clients to serve at a time, maximum. This is to avoid DOS attacks. maxConnections :: Int |