Onion Services Authentication

These lines are truncated.

sudo systemdctl --no-pager status tor@default
sudo journalctl --no-pager -u tor@default

Tor Documentation for Whonix Users

anon-verify

Need to read the full error message. For got this step?

Fix owner permissions.

sudo chown --recursive debian-tor:debian-tor /var/lib/tor/hidden_service

1 Like

No, but I’ll take another crack and report logs properly.

1 Like

This important setting was missing from the documentation:

ClientOnionAuthDir /var/lib/tor/hidden_service/authorized_clients/

Error still there but it’s a permissions thing:

Dec 17 :12 host systemd[1]: Reloading Anonymizing overlay network for TCP.
Dec 17 :12 host systemd[1]: Reloaded Anonymizing overlay network for TCP.
Dec 17 :12 host Tor[1093]: Received reload signal (hup). Reloading config and resetting internal state.
Dec 17 :12 host Tor[1093]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Dec 17 :12 host Tor[1093]: Read configuration file "/etc/tor/torrc".
Dec 17 :12 host Tor[1093]: Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/40_tor_control_panel.conf".
Dec 17 :12 host Tor[1093]: Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/50_user.conf".
Dec 17 :12 host Tor[1093]: Included configuration file or directory at recursion level 1: "/etc/torrc.d/95_whonix.conf".
Dec 17 :12 host Tor[1093]: You configured a non-loopback address '10.152.152.10:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :12 host Tor[1093]: You configured a non-loopback address '10.152.152.10:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :12 host Tor[1093]: Permissions on directory /var/lib/tor/hidden_service/ are too permissive.
Dec 17 :12 host Tor[1093]: Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Dec 17 :12 host Tor[1093]: Reading config failed--see warnings above. For usage, try -h.
Dec 17 :12 host Tor[1093]: Restart failed (config error?). Exiting.
Dec 17 :13 host systemd[1]: tor@default.service: Main process exited, code=exited, status=1/FAILURE
user@host:~$ 



user@host:~$ anon-verify
/===================================================================\
|                      Report Summary                               |
\===================================================================/
Your Tor config files contain at least one error.
Tor verify exit code: 1
/===================================================================\
|                    Tor Concise Report                             |
\===================================================================/
Below warns and errors must be fixed before you can use Tor:
Dec 17 :40.099 [warn] Permissions on directory /var/lib/tor/hidden_service/ are too permissive.
Dec 17 :40.099 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Dec 17 :40.099 [err] Reading config failed--see warnings above.
/===================================================================\
|                      Tor Full Report                              |
\===================================================================/
Dec 17 :40.085 [notice] Tor 0.4.1.6 running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
Dec 17 :40.085 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Dec 17 :40.086 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Dec 17 :40.086 [notice] Read configuration file "/etc/tor/torrc".
Dec 17 :40.097 [notice] Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/40_tor_control_panel.conf".
Dec 17 :40.097 [notice] Included configuration file or directory at recursion level 2: "/usr/local/etc/torrc.d/50_user.conf".
Dec 17 :40.097 [notice] Included configuration file or directory at recursion level 1: "/etc/torrc.d/95_whonix.conf".
Dec 17 :40.098 [notice] You configured a non-loopback address '10.152.152.10:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :40.098 [notice] You configured a non-loopback address '10.152.152.10:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Dec 17 :40.099 [warn] Permissions on directory /var/lib/tor/hidden_service/ are too permissive.
Dec 17 :40.099 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Dec 17 :40.099 [err] Reading config failed--see warnings above.
/===================================================================\
|                 Used Tor Configuration Files                      |
\===================================================================/
5 files are used as Tor configuration files: 
/usr/share/tor/tor-service-defaults-torrc /etc/tor/torrc /etc/torrc.d/95_whonix.conf /usr/local/etc/torrc.d/40_tor_control_panel.conf /usr/local/etc/torrc.d/50_user.conf
=====================================================================
user@host:~$
1 Like

Try these two commands. One.

sudo chown --recursive debian-tor:debian-tor /var/lib/tor

Two.

sudo chmod --recursive o-rwx /var/lib/tor

Otherwise please show

ls -la /var/lib/tor
ls -la /var/lib/tor/hidden_service/

It is here: Onion Services - Whonix

1 Like

A post was split to a new topic: Onion Services DDOS Defense Tor 0.4.2.5

No dice with either or both of the permission change commands.

Output:

ls: cannot open directory '/var/lib/tor': Permission denied
user@host:~$ ls -la /var/lib/tor/hidden_service/
ls: cannot access '/var/lib/tor/hidden_service/': Permission denied
1 Like

ls failing as user is actually expected. Upstream default. Needs to run with sudo.
sudo ls …

1 Like

Also try:

sudo chmod --recursive g-rwx /var/lib/tor

That removes read/write/execute permissions for group members (of debian-tor) too. I don’t know which files in /var/lib/tor - if any - might require read/write access by group debian-tor members. Maybe none.

1 Like
user@host:~$ sudo ls -la /var/lib/tor
total 5964
drwx--S---  4 debian-tor debian-tor    4096 Dec 19  .
drwxr-xr-x 35 root       root          4096 Dec  7  ..
-rw-------  1 debian-tor debian-tor   20442 Dec  7 cached-certs
-rw-------  1 debian-tor debian-tor 2053723 Dec 19 cached-microdesc-consensus
-rw-------  1 debian-tor debian-tor 3999110 Dec 19 cached-microdescs
-rw-------  1 debian-tor debian-tor       0 Dec 19 cached-microdescs.new
drwx--Sr-x  3 root       debian-tor    4096 Dec 19 hidden_service
drwx--S---  2 debian-tor debian-tor    4096 Dec  7 keys
-rw-------  1 debian-tor debian-tor       0 Dec 19 lock
-rw-------  1 debian-tor debian-tor    9681 Dec 19 state
user@host:~$ sudo ls -la /var/lib/tor/hidden_service/
total 12
drwx--Sr-x 3 root       debian-tor 4096 Dec 19 .
drwx--S--- 4 debian-tor debian-tor 4096 Dec 19 ..
drwx--Sr-x 2 root       debian-tor 4096 Dec 19 authorized_clients
user@host:~$
1 Like

Still fails to reload

1 Like

Why is it still owned by root?

Did you run

sudo chown --recursive debian-tor:debian-tor /var/lib/tor

?

I just tried it again and now and this its not going anywhere.

checked the dir list and everything is debian-tor:debian-tor. So while something may have been overlooked last time, it isn’t the reason now.

1 Like

These are only linux file permissions. Should be very much repairable.

Delete that folder.

sudo rm -r /var/lib/tor/hidden_service

At least that fixes that startup issue?

Maybe we shouldn’t write to /var/lib/tor with root ever? Prefix all actions with sudo -u debian-tor ...?

Delete whole folder /var/lib/tor. apt purge tor, reinstall tor?

1 Like

No

Perhaps. I applied it to this step:

sudo -u debian-tor mkdir -p /var/lib/tor/hidden_service/authorized_clients/

Doesn’t work here though. Prpbably more steps need modification?

sudo cp some-client.auth /var/lib/tor/hidden_service/authorized_clients/

1 Like

How can I reinstall when gw connection depends on Tor? Maybe convert an installed package to a .deb, but then this doesn’t solve the mystery of why it breaks

1 Like

The mistery can be solved. Create a snapshot or copy of that VM. And/or (very much useful anyhow), record all permissions.

sudo find /var/lib/tor | sudo xargs stat -c "%n %a %U %G"

Write permissions into file ~/old.

sudo find /var/lib/tor | sudo xargs stat -c "%n %a %U %G" > ~/old

This is what I have:

/var/lib/tor 2700 debian-tor debian-tor
/var/lib/tor/cached-microdesc-consensus 600 debian-tor debian-tor
/var/lib/tor/cached-certs 600 debian-tor debian-tor
/var/lib/tor/lock 600 debian-tor debian-tor
/var/lib/tor/keys 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs.new 600 debian-tor debian-tor
/var/lib/tor/state 600 debian-tor debian-tor

It’s a risky operation for sure. Keep a snapshot.
Might not work in Qubes-Whonix due to folder /var/lib/tor in bind-dirs.
Should work in Non-Qubes-Whonix.

apt download tor
sudo systemctl stop tor@default
sudo dpkg --purge --force-all tor
sudo dpkg -i tor*deb
1 Like

I don’t know how to do that without a following chown / chmod which didn’t work great.

Not sure if entirely sane / best practice but we could try this approach:

Open a shell as user debian-tor.

sudo -u debian-tor bash

Then no more sudo, chown, chmod required.

Home folder of user debian-tor is /var/lib/tor. Does not even need cd /var/lib/tor. Then all files should have correct permissions.

1 Like

Permissions before and after applying the instructions. I couldn’t apply many of them under debian-tor bash user because sudo access is restricted for this account.

/var/lib/tor 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs.new 600 debian-tor debian-tor
/var/lib/tor/state 600 debian-tor debian-tor
/var/lib/tor/keys 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs 600 debian-tor debian-tor
/var/lib/tor/cached-certs 600 debian-tor debian-tor
/var/lib/tor/cached-microdesc-consensus 600 debian-tor debian-tor
/var/lib/tor/lock 600 debian-tor debian-tor

/var/lib/tor 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs.new 600 debian-tor debian-tor
/var/lib/tor/state 600 debian-tor debian-tor
/var/lib/tor/hidden_service 2755 debian-tor debian-tor
/var/lib/tor/hidden_service/authorized_clients 2755 debian-tor debian-tor
/var/lib/tor/hidden_service/authorized_clients/some-client.auth 644 debian-tor debian-tor
/var/lib/tor/keys 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs 600 debian-tor debian-tor
/var/lib/tor/cached-certs 600 debian-tor debian-tor
/var/lib/tor/cached-microdesc-consensus 600 debian-tor debian-tor
/var/lib/tor/lock 600 debian-tor debian-tor

The idea is once you are debian-tor you won’t need any sudo.

1 Like