Tor: fix permission issue (#286)

* setup: set permissions for the log file and create it when missing

* create dirs for hidden services

* Update make_hidden_service_dirs.php

* Tor: add pid dir to setup.sh

* add copyright header to PHP files

security/tor/src/opnsense/service/scripts/tor/get_hostnames

@@ -1,6 +1,35 @@
 #!/usr/local/bin/php
 <?php
 
+/*
+
+    Copyright (C) 2017 Fabian Franz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+
+*/
+
 require_once("config.inc");
 require_once('tor_helper.php');
 use \OPNsense\Tor\HiddenService;

security/tor/src/opnsense/service/scripts/tor/make_hidden_service_dirs.php

@@ -0,0 +1,47 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+
+    Copyright (C) 2017 Fabian Franz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+
+*/
+
+require_once("config.inc");
+require_once('tor_helper.php');
+use \OPNsense\Tor\HiddenService;
+
+$services = new HiddenService();
+foreach ($services->service->__items as $service) {
+    $directory_name = ((string)$service->name);
+    $hostdir = TOR_DATA_DIR . '/' . $directory_name;
+    if (!file_exists($hostdir)) {
+        mkdir($hostdir);
+        chown($hostdir, '_tor');
+        chgrp($hostdir, '_tor');
+        chmod($hostdir, 0700);
+    }
+}

security/tor/src/opnsense/service/scripts/tor/setup.sh

@@ -6,5 +6,14 @@ mkdir -p /var/run/tor
 chown _tor:_tor /var/db/tor
 chmod 700 /var/db/tor
 
+touch /var/log/tor.log
+chmod 700 /var/log/tor.log
+chown _tor:_tor /var/log/tor.log
+
+chown _tor:_tor /var/run/tor
+
+# create hidden service dirs:
+/usr/local/opnsense/service/scripts/tor/make_hidden_service_dirs.php
+
 # required to access the pf device for nat
 /usr/sbin/pw groupmod proxy -m _tor

security/tor/src/opnsense/service/scripts/tor/tor_helper.php

@@ -1,3 +1,32 @@
 <?php
 
+/*
+
+    Copyright (C) 2017 Fabian Franz
+    All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without
+    modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+
+    2. Redistributions in binary form must reproduce the above copyright
+       notice, this list of conditions and the following disclaimer in the
+       documentation and/or other materials provided with the distribution.
+
+    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+    POSSIBILITY OF SUCH DAMAGE.
+
+
+*/
+
 define('TOR_DATA_DIR', '/var/db/tor');