gandalf/secubox-openwrt
gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(tor-shield): Multiple bug fixes for control socket and startup

Browse Source 
- Fix subshell bug in get_circuits (pipe loses JSON state)
- Add has_control flag to status for frontend awareness
- Fix UseBridges without bridge lines causing Tor to fail
- Fix hidden service directory ownership (tor:tor)
- Change log output from file to syslog
- Fix run directory ownership and permissions (700)
- Add CookieAuthentication for control socket auth
- Use socat instead of nc (BusyBox lacks Unix socket support)
- Add socat as package dependency
- Optimize duplicate curl calls in status check
- Use fallback IP services for real_ip detection

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
CyberMind-FR 2026-01-25 09:05:18 +01:00
parent cc86aa7f84
commit 0c54940010
3 changed files with 96 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
package/secubox/luci-app-tor-shield/root/usr/libexec/rpcd/luci.tor-shield
View File

@ -7,22 +7,47 @@
. /usr/share/libubox/jshn.sh
CONFIG="tor-shield"
TOR_CONTROL="/var/run/tor/control"
TOR_RUN="/var/run/tor"
TOR_CONTROL="$TOR_RUN/control"
TOR_DATA="/var/lib/tor"
# Send command to Tor control socket
# Send command to Tor control socket with cookie auth
tor_control() {
if [ ! -S "$TOR_CONTROL" ]; then
return 1
fi
echo -e "$1" | nc -U "$TOR_CONTROL" 2>/dev/null
# Read cookie for authentication
local cookie=""
local cookie_file="$TOR_RUN/control_auth_cookie"
if [ -f "$cookie_file" ]; then
cookie=$(hexdump -e '32/1 "%02x"' "$cookie_file" 2>/dev/null)
fi
# Use socat for Unix socket (BusyBox nc doesn't support -U)
# Send AUTHENTICATE first, then the actual command
{
[ -n "$cookie" ] && echo "AUTHENTICATE $cookie"
echo "$1"
} | socat - UNIX-CONNECT:"$TOR_CONTROL" 2>/dev/null
}
# Check if Tor is running
# Check if Tor is running (via tor-shield, not just any tor process)
is_running() {
# Check for tor-shield's pid file first
if [ -f "$TOR_RUN/tor.pid" ]; then
local pid=$(cat "$TOR_RUN/tor.pid" 2>/dev/null)
[ -n "$pid" ] && [ -d "/proc/$pid" ] && return 0
fi
# Fallback to checking any tor process
pgrep tor >/dev/null 2>&1
}
# Check if tor-shield control socket is available
has_control() {
[ -S "$TOR_CONTROL" ]
}
# Get bootstrap percentage
get_bootstrap() {
local status=$(tor_control "GETINFO status/bootstrap-phase")
@ -49,23 +74,30 @@ get_status() {
# Running state
if is_running; then
json_add_boolean "running" 1
json_add_boolean "has_control" "$(has_control && echo 1 || echo 0)"
# Bootstrap percentage
local bootstrap=$(get_bootstrap)
# Bootstrap percentage (only if control socket available)
local bootstrap=0
if has_control; then
bootstrap=$(get_bootstrap)
fi
json_add_int "bootstrap" "${bootstrap:-0}"
# Get exit IP if bootstrapped
if [ "$bootstrap" -ge 100 ]; then
local socks_port
config_get socks_port socks port '9050'
local exit_ip=$(curl -s --max-time 10 --socks5-hostname 127.0.0.1:$socks_port https://check.torproject.org/api/ip 2>/dev/null | jsonfilter -e '@.IP' 2>/dev/null)
# Single curl call for both IP and IsTor
local tor_check=$(curl -s --max-time 10 --socks5-hostname 127.0.0.1:$socks_port https://check.torproject.org/api/ip 2>/dev/null)
local exit_ip=$(echo "$tor_check" | jsonfilter -e '@.IP' 2>/dev/null)
json_add_string "exit_ip" "${exit_ip:-unknown}"
# Check if using Tor
local is_tor=$(curl -s --max-time 10 --socks5-hostname 127.0.0.1:$socks_port https://check.torproject.org/api/ip 2>/dev/null | jsonfilter -e '@.IsTor' 2>/dev/null)
local is_tor=$(echo "$tor_check" | jsonfilter -e '@.IsTor' 2>/dev/null)
json_add_boolean "is_tor" "$([ "$is_tor" = "true" ] && echo 1 || echo 0)"
# Get circuit count
# Get circuit count (only if control available)
if has_control; then
local circuits=$(tor_control "GETINFO circuit-status" | grep -c "BUILT" 2>/dev/null)
json_add_int "circuit_count" "${circuits:-0}"
@ -74,10 +106,15 @@ get_status() {
local bw_written=$(tor_control "GETINFO traffic/written" | grep "250" | awk '{print $2}')
json_add_int "bytes_read" "${bw_read:-0}"
json_add_int "bytes_written" "${bw_written:-0}"
else
json_add_int "circuit_count" 0
json_add_int "bytes_read" 0
json_add_int "bytes_written" 0
fi
fi
# Uptime from pid file
local pidfile="/var/run/tor/tor.pid"
local pidfile="$TOR_RUN/tor.pid"
if [ -f "$pidfile" ]; then
local pid=$(cat "$pidfile")
if [ -d "/proc/$pid" ]; then
@ -88,6 +125,7 @@ get_status() {
fi
else
json_add_boolean "running" 0
json_add_boolean "has_control" 0
json_add_int "bootstrap" 0
fi
@ -98,9 +136,11 @@ get_status() {
json_add_boolean "bridges_enabled" "$bridges_enabled"
json_add_string "bridge_type" "$bridge_type"
# Get real IP
local real_ip=$(curl -s --max-time 5 https://ipinfo.io/ip 2>/dev/null)
json_add_string "real_ip" "${real_ip:-unknown}"
# Get real IP (try multiple services as fallback)
local real_ip=$(curl -s --max-time 5 https://api.ipify.org 2>/dev/null)
[ -z "$real_ip" ] && real_ip=$(curl -s --max-time 5 https://ifconfig.me/ip 2>/dev/null)
[ -z "$real_ip" ] && real_ip="unknown"
json_add_string "real_ip" "$real_ip"
json_dump
}
@ -172,9 +212,18 @@ get_circuits() {
return
fi
local circuits=$(tor_control "GETINFO circuit-status")
# Check if control socket exists
if [ ! -S "$TOR_CONTROL" ]; then
json_close_array
json_dump
return
fi
echo "$circuits" | grep "BUILT" | while read line; do
# Use temp file to avoid subshell issue with pipe
local TMP_CIRCUITS="/tmp/tor_circuits_$$"
tor_control "GETINFO circuit-status" | grep "BUILT" > "$TMP_CIRCUITS" 2>/dev/null
while read line; do
local id=$(echo "$line" | awk '{print $1}')
local status=$(echo "$line" | awk '{print $2}')
local path=$(echo "$line" | awk '{print $3}')
@ -189,7 +238,8 @@ get_circuits() {
# Parse path into nodes
json_add_array "nodes"
local IFS=','
local OLD_IFS="$IFS"
IFS=','
for node in $path; do
local fingerprint=$(echo "$node" | cut -d'~' -f1 | tr -d '$')
local name=$(echo "$node" | cut -d'~' -f2)
@ -199,12 +249,14 @@ get_circuits() {
json_add_string "name" "${name:-$fingerprint}"
json_close_object
done
IFS="$OLD_IFS"
json_close_array
json_close_object
fi
done
done < "$TMP_CIRCUITS"
rm -f "$TMP_CIRCUITS"
json_close_array
json_dump
}

2
package/secubox/secubox-app-tor/Makefile
View File

@ -22,7 +22,7 @@ define Package/secubox-app-tor
PKGARCH:=all
SUBMENU:=SecuBox Apps
TITLE:=SecuBox Tor Shield
DEPENDS:=+tor +tor-geoip +iptables +curl +jsonfilter
DEPENDS:=+tor +tor-geoip +iptables +curl +jsonfilter +socat
endef
define Package/secubox-app-tor/description

19
package/secubox/secubox-app-tor/files/etc/init.d/tor-shield
View File

@ -37,7 +37,8 @@ generate_torrc() {
config_get strict_nodes security strict_nodes '0'
mkdir -p "$TOR_RUN" "$TOR_DATA"
chmod 700 "$TOR_DATA"
chown tor:tor "$TOR_RUN" "$TOR_DATA"
chmod 700 "$TOR_RUN" "$TOR_DATA"
cat > "$TORRC" << EOF
# SecuBox Tor Shield - Auto-generated config
@ -46,9 +47,12 @@ generate_torrc() {
User tor
DataDirectory $TOR_DATA
PidFile $TOR_RUN/tor.pid
Log notice file /var/log/tor.log
Log notice syslog
ControlSocket $TOR_RUN/control
ControlSocketsGroupWritable 1
CookieAuthentication 1
CookieAuthFile $TOR_RUN/control_auth_cookie
CookieAuthFileGroupReadable 1
# SOCKS proxy
SocksPort $socks_addr:$socks_port
@ -79,8 +83,15 @@ VirtualAddrNetworkIPv4 10.192.0.0/10
EOF
fi
# Bridge configuration
# Bridge configuration - only enable if bridges are configured
if [ "$bridges_enabled" = "1" ]; then
# Count bridge lines first
BRIDGE_COUNT=0
count_bridge() { BRIDGE_COUNT=$((BRIDGE_COUNT + 1)); }
config_list_foreach bridges bridge_lines count_bridge
# Only add UseBridges if there are actual bridges configured
if [ "$BRIDGE_COUNT" -gt 0 ]; then
cat >> "$TORRC" << EOF
# Bridge mode
@ -89,6 +100,7 @@ EOF
# Add bridge lines from config
config_list_foreach bridges bridge_lines add_bridge_line
fi
fi
# Exit node restrictions
if [ -n "$exit_nodes" ]; then
@ -130,6 +142,7 @@ add_hidden_service() {
local hs_dir="$TOR_DATA/hidden_service_$name"
mkdir -p "$hs_dir"
chown tor:tor "$hs_dir"
chmod 700 "$hs_dir"
cat >> "$TORRC" << EOF