From 0322f857ba5d5d7064e82e4faefe6ea8f5aa04d7 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sun, 7 Jun 2015 17:11:26 +0200 Subject: [PATCH 1/5] security/tor-devel: Warn if IP ids are not randomized --- security/tor-devel/files/patch-src-or-config.c | 62 ++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 security/tor-devel/files/patch-src-or-config.c diff --git a/security/tor-devel/files/patch-src-or-config.c b/security/tor-devel/files/patch-src-or-config.c new file mode 100644 index 0000000..45cd1c9 --- /dev/null +++ b/security/tor-devel/files/patch-src-or-config.c @@ -0,0 +1,62 @@ +From 4cea2cc4301b9dc41fbfe5eebc15eeb7787d3d22 Mon Sep 17 00:00:00 2001 +From: Fabian Keil +Date: Tue, 7 Apr 2015 16:36:05 +0200 +Subject: [PATCH] Complain if net.inet.ip.random_id is not set on FreeBSD-based + servers + +Apparently a couple of operators haven't gotten the memos [0] yet +and it looks like FreeBSD's default value will not change any time +soon [1]. + +[0]: +https://lists.torproject.org/pipermail/tor-relays/2014-March/004199.html +https://lists.torproject.org/pipermail/tor-relays/2014-November/005687.html +https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=195828 + +[1]: +https://lists.freebsd.org/pipermail/freebsd-net/2015-April/041942.html +--- + src/or/config.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git src/or/config.c src/or/config.c +index 00de0b9..9ae1c3d 100644 +--- src/or/config.c ++++ src/or/config.c +@@ -52,6 +52,9 @@ + #ifdef _WIN32 + #include + #endif ++#ifdef __FreeBSD__ ++#include ++#endif + + #include "procmon.h" + +@@ -2662,6 +2665,23 @@ options_validate(or_options_t *old_options, or_options_t *options, + "Please consider setting it, so we can contact you if your server is " + "misconfigured or something else goes wrong."); + ++#ifdef __FreeBSD__ ++ if (server_mode(options)) { ++ int random_id_state; ++ size_t state_size = sizeof(random_id_state); ++ ++ if (sysctlbyname("net.inet.ip.random_id", &random_id_state, ++ &state_size, NULL, 0)) { ++ log_warn(LD_CONFIG, ++ "Failed to figure out if IP ids are randomized."); ++ } else if (random_id_state == 0) { ++ log_warn(LD_CONFIG, "Looks like IP ids are not randomized. " ++ "Please consider setting the net.inet.ip.random_id sysctl, " ++ "so your relay makes it harder to figure out how busy it is."); ++ } ++ } ++#endif ++ + /* Special case on first boot if no Log options are given. */ + if (!options->Logs && !options->RunAsDaemon && !from_setconf) { + if (quiet_level == 0) +-- +2.3.0 + -- 2.6.3 From a9d87da3745ac2893d2f7cd9b9a690c86a867925 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Fri, 12 Jun 2015 20:29:43 +0200 Subject: [PATCH 2/5] security/tor-devel: Stop specifying a log file on the command line It's annoying and confusing for users that need more than one log file. --- security/tor-devel/files/tor.in | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) mode change 100644 => 100755 security/tor-devel/files/tor.in diff --git a/security/tor-devel/files/tor.in b/security/tor-devel/files/tor.in old mode 100644 new mode 100755 index 54c3730..3ea0285 --- a/security/tor-devel/files/tor.in +++ b/security/tor-devel/files/tor.in @@ -15,8 +15,6 @@ # Default: %%PREFIX%%/etc/tor/torrc # tor_user (str): Tor daemon user. Default: _tor # tor_datadir (str): Tor datadir. Default: /var/db/tor -# tor_logfile (str): Tor log file. Default: /var/log/tor -# tor_loglevel (str): Tor log severity level. Default: notice # . /etc/rc.subr @@ -30,21 +28,14 @@ load_rc_config ${name} : ${tor_conf="%%PREFIX%%/etc/tor/torrc"} : ${tor_user="_tor"} : ${tor_pidfile="/var/run/tor/tor.pid"} -: ${tor_logfile="/var/log/tor"} -: ${tor_loglevel="notice"} : ${tor_datadir="/var/db/tor"} required_files=${tor_conf} required_dirs=${tor_datadir} pidfile=${tor_pidfile} command="%%PREFIX%%/bin/${name}" -command_args="-f ${tor_conf} --PidFile ${tor_pidfile} --RunAsDaemon 1 --DataDirectory ${tor_datadir} --+Log ${tor_loglevel}\ file\ ${tor_logfile}" -extra_commands="log reload" -log_cmd="${name}_log" - -tor_log() { - cat ${tor_logfile} -} +command_args="-f ${tor_conf} --PidFile ${tor_pidfile} --RunAsDaemon 1 --DataDirectory ${tor_datadir}" +extra_commands="reload" run_rc_command "$1" -- 2.6.3 From 567a2be91a0e1b526737cf7264dfc35329ef56cc Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sat, 13 Jun 2015 11:18:36 +0200 Subject: [PATCH 3/5] security/tor-devel: Remove recommendation to set net.inet.ip.random_id=1 as it's the ElectroBSD default --- security/tor-devel/files/pkg-message.in | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/security/tor-devel/files/pkg-message.in b/security/tor-devel/files/pkg-message.in index cf0accc..b2bf82f 100644 --- a/security/tor-devel/files/pkg-message.in +++ b/security/tor-devel/files/pkg-message.in @@ -12,10 +12,5 @@ touch /var/log/tor chown -R _tor:_tor /var/db/tor /var/log/tor /var/run/tor chmod -R 700 /var/db/tor -before starting the tor server. Tor users are strongly advised to prevent traffic -analysis that exploits sequential IP IDs by setting: - -sysctl net.inet.ip.random_id=1 - -(see sysctl.conf(5)). +before starting the tor server. ================================================================================ -- 2.6.3 From d965b0589320b39e2676af005678504e7adc4e51 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Sat, 15 Aug 2015 16:27:00 +0200 Subject: [PATCH 4/5] security/tor-devel: Automatically create essential directories --- security/tor-devel/files/pkg-message.in | 12 +----------- security/tor-devel/files/tor.in | 27 ++++++++++++++++++++++++++- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/security/tor-devel/files/pkg-message.in b/security/tor-devel/files/pkg-message.in index b2bf82f..8b602d2 100644 --- a/security/tor-devel/files/pkg-message.in +++ b/security/tor-devel/files/pkg-message.in @@ -2,15 +2,5 @@ To enable the tor server, set tor_enable="YES" in your /etc/rc.conf and edit %%PREFIX%%/etc/tor/torrc as desired. (However, note that the %%PREFIX%%/etc/rc.d/tor rc.subr script can override some torrc -options: see that script for details.) To use the torify script, install -the net/torsocks port. After installing tor for the first time, or after -a major update of tor, you should: - -rm -r /var/db/tor /var/run/tor -mkdir -p /var/db/tor/data /var/run/tor -touch /var/log/tor -chown -R _tor:_tor /var/db/tor /var/log/tor /var/run/tor -chmod -R 700 /var/db/tor - -before starting the tor server. +options: see that script for details.) ================================================================================ diff --git a/security/tor-devel/files/tor.in b/security/tor-devel/files/tor.in index 3ea0285..8f041e8 100755 --- a/security/tor-devel/files/tor.in +++ b/security/tor-devel/files/tor.in @@ -27,12 +27,37 @@ load_rc_config ${name} : ${tor_enable="NO"} : ${tor_conf="%%PREFIX%%/etc/tor/torrc"} : ${tor_user="_tor"} -: ${tor_pidfile="/var/run/tor/tor.pid"} +: ${tor_piddir="/var/run/tor"} +: ${tor_pidfile="${tor_piddir}/tor.pid"} : ${tor_datadir="/var/db/tor"} +: ${tor_logdir="/var/log/tor"} + +tor_prestart () { + if [ ! -d ${tor_logdir} ]; then + echo ${tor_logdir} not found. Creating ... + mkdir -p ${tor_logdir} + chown ${tor_user}:${tor_user} ${tor_logdir} + chmod 0750 ${tor_logdir} + fi + if [ ! -d ${tor_datadir} ]; then + echo ${tor_datadir} not found. Creating ... + mkdir -p ${tor_datadir} + chown ${tor_user}:${tor_user} ${tor_datadir} + chmod 0700 ${tor_datadir} + fi + if [ ! -d ${tor_piddir} ]; then + echo ${tor_logdir} not found. Creating ... + mkdir -p ${tor_piddir} + chown ${tor_user}:${tor_user} ${tor_piddir} + fi +} + +start_precmd="tor_prestart" required_files=${tor_conf} required_dirs=${tor_datadir} pidfile=${tor_pidfile} + command="%%PREFIX%%/bin/${name}" command_args="-f ${tor_conf} --PidFile ${tor_pidfile} --RunAsDaemon 1 --DataDirectory ${tor_datadir}" extra_commands="reload" -- 2.6.3 From cf9521d3c43c0709ee506349665eed45caff2805 Mon Sep 17 00:00:00 2001 From: Fabian Keil Date: Fri, 12 Jun 2015 21:55:38 +0200 Subject: [PATCH 5/5] securtiy/tor-devel: Update to 0.2.7.4-rc --- security/tor-devel/Makefile | 2 +- security/tor-devel/distinfo | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/security/tor-devel/Makefile b/security/tor-devel/Makefile index 2348f87..7e6e380 100644 --- a/security/tor-devel/Makefile +++ b/security/tor-devel/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= tor -DISTVERSION= 0.2.6.7 +DISTVERSION= 0.2.7.4-rc CATEGORIES= security net ipv6 MASTER_SITES= TOR PKGNAMESUFFIX= -devel diff --git a/security/tor-devel/distinfo b/security/tor-devel/distinfo index 90d1217..9f242a3 100644 --- a/security/tor-devel/distinfo +++ b/security/tor-devel/distinfo @@ -1,2 +1,2 @@ -SHA256 (tor-0.2.6.7.tar.gz) = 8c2be88a542ed1b22a8d3d595ec0acd0e28191de273dbcaefc64fdce92b89e6c -SIZE (tor-0.2.6.7.tar.gz) = 3595669 +SHA256 (tor-0.2.7.4-rc.tar.gz) = 6741c3e6abfedb76be781b767b77f794ee1a0f554cc4ccf083e44d4d9dc8af67 +SIZE (tor-0.2.7.4-rc.tar.gz) = 4830972 -- 2.6.3