These lines are truncated.
sudo systemdctl --no-pager status tor@default
sudo journalctl --no-pager -u tor@default
Tor Documentation for Whonix Users
anon-verify
Need to read the full error message. For got this step?
Fix owner permissions.
sudo chown --recursive debian-tor:debian-tor /var/lib/tor/hidden_service
No, but I’ll take another crack and report logs properly.
This important setting was missing from the documentation:
ClientOnionAuthDir /var/lib/tor/hidden_service/authorized_clients/
Error still there but it’s a permissions thing:
Dec 17 :12 host systemd[1]: Reloading Anonymizing overlay network for TCP.
Dec 17 :12 host systemd[1]: Reloaded Anonymizing overlay network for TCP.
Dec 17 :12 host Tor[1093]: Received reload signal (hup). Reloading config and resetting internal state.
Dec 17 :12 host Tor[1093]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Dec 17 :12 host Tor[1093]: Read configuration file "/etc/tor/torrc".
Dec 17 :12 host Tor[1093]: Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/40_tor_control_panel.conf".
Dec 17 :12 host Tor[1093]: Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/50_user.conf".
Dec 17 :12 host Tor[1093]: Included configuration file or directory at recursion level 1: "/etc/torrc.d/95_whonix.conf".
Dec 17 :12 host Tor[1093]: You configured a non-loopback address '10.152.152.10:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :12 host Tor[1093]: You configured a non-loopback address '10.152.152.10:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :12 host Tor[1093]: Permissions on directory /var/lib/tor/hidden_service/ are too permissive.
Dec 17 :12 host Tor[1093]: Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Dec 17 :12 host Tor[1093]: Reading config failed--see warnings above. For usage, try -h.
Dec 17 :12 host Tor[1093]: Restart failed (config error?). Exiting.
Dec 17 :13 host systemd[1]: tor@default.service: Main process exited, code=exited, status=1/FAILURE
user@host:~$
user@host:~$ anon-verify
/===================================================================\
| Report Summary |
\===================================================================/
Your Tor config files contain at least one error.
Tor verify exit code: 1
/===================================================================\
| Tor Concise Report |
\===================================================================/
Below warns and errors must be fixed before you can use Tor:
Dec 17 :40.099 [warn] Permissions on directory /var/lib/tor/hidden_service/ are too permissive.
Dec 17 :40.099 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Dec 17 :40.099 [err] Reading config failed--see warnings above.
/===================================================================\
| Tor Full Report |
\===================================================================/
Dec 17 :40.085 [notice] Tor 0.4.1.6 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
Dec 17 :40.085 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 17 :40.086 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Dec 17 :40.086 [notice] Read configuration file "/etc/tor/torrc".
Dec 17 :40.097 [notice] Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/40_tor_control_panel.conf".
Dec 17 :40.097 [notice] Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/50_user.conf".
Dec 17 :40.097 [notice] Included configuration file or directory at recursion level 1: "/etc/torrc.d/95_whonix.conf".
Dec 17 :40.098 [notice] You configured a non-loopback address '10.152.152.10:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :40.098 [notice] You configured a non-loopback address '10.152.152.10:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :40.099 [warn] Permissions on directory /var/lib/tor/hidden_service/ are too permissive.
Dec 17 :40.099 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Dec 17 :40.099 [err] Reading config failed--see warnings above.
/===================================================================\
| Used Tor Configuration Files |
\===================================================================/
5 files are used as Tor configuration files:
/usr/share/tor/tor-service-defaults-torrc /etc/tor/torrc /etc/torrc.d/95_whonix.conf /usr/local/etc/torrc.d/40_tor_control_panel.conf /usr/local/etc/torrc.d/50_user.conf
=====================================================================
user@host:~$
Try these two commands. One.
sudo chown --recursive debian-tor:debian-tor /var/lib/tor
Two.
sudo chmod --recursive o-rwx /var/lib/tor
Otherwise please show
ls -la /var/lib/tor
ls -la /var/lib/tor/hidden_service/
It is here: Onion Services - Whonix
No dice with either or both of the permission change commands.
Output:
ls: cannot open directory '/var/lib/tor': Permission denied
user@host:~$ ls -la /var/lib/tor/hidden_service/
ls: cannot access '/var/lib/tor/hidden_service/': Permission denied
ls failing as user is actually expected. Upstream default. Needs to run with sudo.
sudo ls …
Also try:
sudo chmod --recursive g-rwx /var/lib/tor
That removes read/write/execute permissions for group members (of debian-tor
) too. I don’t know which files in /var/lib/tor - if any - might require read/write access by group debian-tor
members. Maybe none.
user@host:~$ sudo ls -la /var/lib/tor
total 5964
drwx--S--- 4 debian-tor debian-tor 4096 Dec 19 .
drwxr-xr-x 35 root root 4096 Dec 7 ..
-rw------- 1 debian-tor debian-tor 20442 Dec 7 cached-certs
-rw------- 1 debian-tor debian-tor 2053723 Dec 19 cached-microdesc-consensus
-rw------- 1 debian-tor debian-tor 3999110 Dec 19 cached-microdescs
-rw------- 1 debian-tor debian-tor 0 Dec 19 cached-microdescs.new
drwx--Sr-x 3 root debian-tor 4096 Dec 19 hidden_service
drwx--S--- 2 debian-tor debian-tor 4096 Dec 7 keys
-rw------- 1 debian-tor debian-tor 0 Dec 19 lock
-rw------- 1 debian-tor debian-tor 9681 Dec 19 state
user@host:~$ sudo ls -la /var/lib/tor/hidden_service/
total 12
drwx--Sr-x 3 root debian-tor 4096 Dec 19 .
drwx--S--- 4 debian-tor debian-tor 4096 Dec 19 ..
drwx--Sr-x 2 root debian-tor 4096 Dec 19 authorized_clients
user@host:~$
Still fails to reload
Why is it still owned by root?
Did you run
sudo chown --recursive debian-tor:debian-tor /var/lib/tor
?
I just tried it again and now and this its not going anywhere.
checked the dir list and everything is debian-tor:debian-tor. So while something may have been overlooked last time, it isn’t the reason now.
These are only linux file permissions. Should be very much repairable.
Delete that folder.
sudo rm -r /var/lib/tor/hidden_service
At least that fixes that startup issue?
Maybe we shouldn’t write to /var/lib/tor
with root ever? Prefix all actions with sudo -u debian-tor ...
?
Delete whole folder /var/lib/tor
. apt purge tor, reinstall tor?
No
Perhaps. I applied it to this step:
sudo -u debian-tor mkdir -p /var/lib/tor/hidden_service/authorized_clients/
Doesn’t work here though. Prpbably more steps need modification?
sudo cp some-client.auth /var/lib/tor/hidden_service/authorized_clients/
How can I reinstall when gw connection depends on Tor? Maybe convert an installed package to a .deb, but then this doesn’t solve the mystery of why it breaks
The mistery can be solved. Create a snapshot or copy of that VM. And/or (very much useful anyhow), record all permissions.
sudo find /var/lib/tor | sudo xargs stat -c "%n %a %U %G"
Write permissions into file ~/old
.
sudo find /var/lib/tor | sudo xargs stat -c "%n %a %U %G" > ~/old
This is what I have:
/var/lib/tor 2700 debian-tor debian-tor
/var/lib/tor/cached-microdesc-consensus 600 debian-tor debian-tor
/var/lib/tor/cached-certs 600 debian-tor debian-tor
/var/lib/tor/lock 600 debian-tor debian-tor
/var/lib/tor/keys 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs.new 600 debian-tor debian-tor
/var/lib/tor/state 600 debian-tor debian-tor
It’s a risky operation for sure. Keep a snapshot.
Might not work in Qubes-Whonix due to folder /var/lib/tor
in bind-dirs.
Should work in Non-Qubes-Whonix.
apt download tor
sudo systemctl stop tor@default
sudo dpkg --purge --force-all tor
sudo dpkg -i tor*deb
I don’t know how to do that without a following chown
/ chmod
which didn’t work great.
Not sure if entirely sane / best practice but we could try this approach:
Open a shell as user debian-tor
.
sudo -u debian-tor bash
Then no more sudo
, chown
, chmod
required.
Home folder of user debian-tor
is /var/lib/tor
. Does not even need cd /var/lib/tor
. Then all files should have correct permissions.
Permissions before and after applying the instructions. I couldn’t apply many of them under debian-tor bash user because sudo access is restricted for this account.
/var/lib/tor 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs.new 600 debian-tor debian-tor
/var/lib/tor/state 600 debian-tor debian-tor
/var/lib/tor/keys 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs 600 debian-tor debian-tor
/var/lib/tor/cached-certs 600 debian-tor debian-tor
/var/lib/tor/cached-microdesc-consensus 600 debian-tor debian-tor
/var/lib/tor/lock 600 debian-tor debian-tor
/var/lib/tor 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs.new 600 debian-tor debian-tor
/var/lib/tor/state 600 debian-tor debian-tor
/var/lib/tor/hidden_service 2755 debian-tor debian-tor
/var/lib/tor/hidden_service/authorized_clients 2755 debian-tor debian-tor
/var/lib/tor/hidden_service/authorized_clients/some-client.auth 644 debian-tor debian-tor
/var/lib/tor/keys 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs 600 debian-tor debian-tor
/var/lib/tor/cached-certs 600 debian-tor debian-tor
/var/lib/tor/cached-microdesc-consensus 600 debian-tor debian-tor
/var/lib/tor/lock 600 debian-tor debian-tor
The idea is once you are debian-tor you won’t need any sudo.