Opened 9 years ago

Closed 9 years ago

#268 closed defect (fixed)

I2P 0.8.1 Auto Permission Change

Reported by: anonymous@… Owned by: zzz
Priority: minor Milestone: 0.8.2
Component: api/general Version: 0.8.1
Keywords: file router permissions Cc:
Parent Tickets: Sensitive: no

Description

Problem:
The 0.8.1 release contains…, for increased security, files created by the router [which] will now be readable only by the owner (mode 600). First, I would like to mention that this update has the potential to increase security for general users, but it needs to be an *option* that users can turn-off and turn-on.

Details:
Having I2P automatically setting the permissions of files created by the router has many drawbacks.

For example, if a user wants to run I2P as su/sudo/root to allow I2P to listen on ports less than 1024, such as some ports that are unblocked in certain countries, files would be written with root permission. This is a problem when a users I2P folder is located: /home/username/I2P. Having all files created by the router as root would mean that torrents, eepsites files (uploaded by I2P users), and configuration files, such as the wrapper.config would only be accessible by root, and not by the user. Many of these files change often, and the user would be left changing their permissions constantly.

Solution: Leave file permissions up to the user and their operating system in some fashion.

Contact: anonymous@… or I2P-Bote anonymous@UiOyDubkXv?-51aN3YhnKxmMmasa5zBujBUoxXSXUWZmVVRV2A12hHJZYGdAHTrIvjZe6ijXA4m1QmUlxJTtBsWMx1IQeamlXRtfLRHc0UULa-J4ZLhGr~KFuqh51QydTgk~92B3wop3Fq8NpS~lXyBtc3OpjP~E5hU48TKigV1BcZ7fMt3Y9ENlJW0oEXqX2Hc5qK~j67iC52pz1jWVi5SqqZ2cnRgAO6ur7eAFrW9LE5JVKj4f4XzatXPa-WlxFdgXbt6PIIPQtYilkTHNHjpOzOwCKELGmDrKJrmKUmHNEdYtXFcW5Z2J-TziD3SDDzeUVb7gi1-Lr2fgOgXi1MdN-~l7dfy-MbO2izmIIim7zFVyICTem~5BEIq9FCF67j~9mHQDjroqFDgVVuvoZg-Z1SfIgyBTz32AlPElO21hsYpeXFbqJOScCDutgEgGpNI5pH2McC-rQU0pABw~hJd4XbtDfNYLigB~wokIfpXi77jOpdvLr-ojIFEWrgS

Subtickets

Change History (4)

comment:1 Changed 9 years ago by zzz

Component: router/datarouter/general
Milestone: 0.8.10.8.2
Owner: set to zzz
Priority: majorminor
Status: newassigned

Seems like there should be a better way than running i2p as root. Maybe some port-mapping thing in iptables or the external firewall, where an internal high port is mapped to an external low port?

Anyway, I'll look into adding a config option. But I still think it's nuts to run as root.

comment:2 Changed 9 years ago by zzz

Version: 0.80.8.1

comment:3 Changed 9 years ago by anonymous@…

For Debian/Ubuntu? users, there is a program called privbind. I haven't used it, but it might solve the problem. I still think the user should have the option to enable permission changes, not a program by itself.

comment:4 Changed 9 years ago by zzz

Component: router/generalapi/general
Resolution: fixed
Status: assignedclosed

Support checked in as 0.8.1-3.

Set i2p.insecureFiles=true in advanced configuration.

Note: See TracTickets for help on using tickets.