Bug: Ensure tor exit is disabled properly

Simply disabling exit policies is not enough to disable an exit node, it also
needs to be explicitly disabled. This may change in future versions of tor, but
for now, explicitly adding 'ExitRelay 0' to the configuration is needed. This
fixes #8863.

diff --git a/puppet/modules/site_tor/manifests/disable_exit.pp b/puppet/modules/site_tor/manifests/disable_exit.pp
index 078f80a..85c24bf 100644 (file)
--- a/puppet/modules/site_tor/manifests/disable_exit.pp
+++ b/puppet/modules/site_tor/manifests/disable_exit.pp
@@ -1,7 +1,13 @@
+# ensure that the tor relay is not configured as an exit node
 class site_tor::disable_exit {
   tor::daemon::exit_policy {
     'no_exit_at_all':
       reject => [ '*:*' ];
   }
+# In a future version of Tor, ExitRelay 0 may become the default when no ExitPolicy is given.
+  tor::daemon::snippet {
+    'disable_exit':
+      content => 'ExitRelay 0';
+  }
 }