A post was split to a new topic: Onion Services DDOS Defense Tor 0.4.2.5
No dice with either or both of the permission change commands.
Output:
ls: cannot open directory '/var/lib/tor': Permission denied
user@host:~$ ls -la /var/lib/tor/hidden_service/
ls: cannot access '/var/lib/tor/hidden_service/': Permission denied
1 Like
ls failing as user is actually expected. Upstream default. Needs to run with sudo.
sudo ls âŚ
1 Like
Also try:
sudo chmod --recursive g-rwx /var/lib/tor
That removes read/write/execute permissions for group members (of debian-tor) too. I donât know which files in /var/lib/tor - if any - might require read/write access by group debian-tor members. Maybe none.
1 Like
user@host:~$ sudo ls -la /var/lib/tor
total 5964
drwx--S--- 4 debian-tor debian-tor 4096 Dec 19 .
drwxr-xr-x 35 root root 4096 Dec 7 ..
-rw------- 1 debian-tor debian-tor 20442 Dec 7 cached-certs
-rw------- 1 debian-tor debian-tor 2053723 Dec 19 cached-microdesc-consensus
-rw------- 1 debian-tor debian-tor 3999110 Dec 19 cached-microdescs
-rw------- 1 debian-tor debian-tor 0 Dec 19 cached-microdescs.new
drwx--Sr-x 3 root debian-tor 4096 Dec 19 hidden_service
drwx--S--- 2 debian-tor debian-tor 4096 Dec 7 keys
-rw------- 1 debian-tor debian-tor 0 Dec 19 lock
-rw------- 1 debian-tor debian-tor 9681 Dec 19 state
user@host:~$ sudo ls -la /var/lib/tor/hidden_service/
total 12
drwx--Sr-x 3 root debian-tor 4096 Dec 19 .
drwx--S--- 4 debian-tor debian-tor 4096 Dec 19 ..
drwx--Sr-x 2 root debian-tor 4096 Dec 19 authorized_clients
user@host:~$
1 Like
Still fails to reload
1 Like
Why is it still owned by root?
Did you run
sudo chown --recursive debian-tor:debian-tor /var/lib/tor
?
I just tried it again and now and this its not going anywhere.
checked the dir list and everything is debian-tor:debian-tor. So while something may have been overlooked last time, it isnât the reason now.
1 Like
These are only linux file permissions. Should be very much repairable.
Delete that folder.
sudo rm -r /var/lib/tor/hidden_service
At least that fixes that startup issue?
Maybe we shouldnât write to /var/lib/tor with root ever? Prefix all actions with sudo -u debian-tor ...?
Delete whole folder /var/lib/tor. apt purge tor, reinstall tor?
1 Like
No
Perhaps. I applied it to this step:
sudo -u debian-tor mkdir -p /var/lib/tor/hidden_service/authorized_clients/
Doesnât work here though. Prpbably more steps need modification?
sudo cp some-client.auth /var/lib/tor/hidden_service/authorized_clients/
1 Like
How can I reinstall when gw connection depends on Tor? Maybe convert an installed package to a .deb, but then this doesnât solve the mystery of why it breaks
1 Like
The mistery can be solved. Create a snapshot or copy of that VM. And/or (very much useful anyhow), record all permissions.
sudo find /var/lib/tor | sudo xargs stat -c "%n %a %U %G"
Write permissions into file ~/old.
sudo find /var/lib/tor | sudo xargs stat -c "%n %a %U %G" > ~/old
This is what I have:
/var/lib/tor 2700 debian-tor debian-tor
/var/lib/tor/cached-microdesc-consensus 600 debian-tor debian-tor
/var/lib/tor/cached-certs 600 debian-tor debian-tor
/var/lib/tor/lock 600 debian-tor debian-tor
/var/lib/tor/keys 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs.new 600 debian-tor debian-tor
/var/lib/tor/state 600 debian-tor debian-tor
Itâs a risky operation for sure. Keep a snapshot.
Might not work in Qubes-Whonix due to folder /var/lib/tor in bind-dirs.
Should work in Non-Qubes-Whonix.
apt download tor
sudo systemctl stop tor@default
sudo dpkg --purge --force-all tor
sudo dpkg -i tor*deb
1 Like
I donât know how to do that without a following chown / chmod which didnât work great.
Not sure if entirely sane / best practice but we could try this approach:
Open a shell as user debian-tor.
sudo -u debian-tor bash
Then no more sudo, chown, chmod required.
Home folder of user debian-tor is /var/lib/tor. Does not even need cd /var/lib/tor. Then all files should have correct permissions.
1 Like
Permissions before and after applying the instructions. I couldnât apply many of them under debian-tor bash user because sudo access is restricted for this account.
/var/lib/tor 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs.new 600 debian-tor debian-tor
/var/lib/tor/state 600 debian-tor debian-tor
/var/lib/tor/keys 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs 600 debian-tor debian-tor
/var/lib/tor/cached-certs 600 debian-tor debian-tor
/var/lib/tor/cached-microdesc-consensus 600 debian-tor debian-tor
/var/lib/tor/lock 600 debian-tor debian-tor
/var/lib/tor 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs.new 600 debian-tor debian-tor
/var/lib/tor/state 600 debian-tor debian-tor
/var/lib/tor/hidden_service 2755 debian-tor debian-tor
/var/lib/tor/hidden_service/authorized_clients 2755 debian-tor debian-tor
/var/lib/tor/hidden_service/authorized_clients/some-client.auth 644 debian-tor debian-tor
/var/lib/tor/keys 2700 debian-tor debian-tor
/var/lib/tor/cached-microdescs 600 debian-tor debian-tor
/var/lib/tor/cached-certs 600 debian-tor debian-tor
/var/lib/tor/cached-microdesc-consensus 600 debian-tor debian-tor
/var/lib/tor/lock 600 debian-tor debian-tor
The idea is once you are debian-tor you wonât need any sudo.
1 Like
Fixed instructions.
sudo apt-get install sudo apt install
->
sudo apt-get install basez
Following instructions on Onion Services - Whonix from top to bottom will currently fail.
file_name="/var/lib/tor/hidden_service/hostname"
hostname="$(sudo cat "$file_name" | str_replace .onion "")"
cat: /var/lib/tor/hidden_service/hostname: No such file or directory
This is because Tor wasnât restarted/reload yet which only happens in a later step using sudo service tor@default reload.
We could reload Tor earlier but then there would be a time during the onion service active on the Tor network without authentication enabled yet. Would that be a problem?
1 Like
Working on automation for this.
Could you have a look at this script please?
sudoedit /usr/bin/anon-auth-autogen
For copy/paste
https://raw.githubusercontent.com/Whonix/anon-gw-anonymizer-config/master/usr/bin/anon-auth-autogen
sudo chmod +x /usr/bin/anon-auth-autogen
It has reasonable defaults.
sudo anon-auth-autogen
This uses folder /var/lib/tor/hidden_service and Tor config file /usr/local/etc/torrc.d/43_test_hs_autogen.conf.
HiddenServiceDir /var/lib/tor/hidden_service
HiddenServicePort 80 10.137.0.102:80
HiddenServiceVersion 3
Example:
INFO: Created torconffile â/usr/local/etc/torrc.d/43_hidden_service_hs_autogen.confâ.
INFO: Copied client_authorization_full_path â/var/lib/tor_autogen/hidden_service/1.authâ to â/var/lib/tor_autogen/hidden_service/1.authâ.
INFO: You probably want to provide client â1â with auth_private_file â/var/lib/tor_autogen/hidden_service/1.auth_privateâ for hsname âhidden_serviceâ onion_url âsome.onionâ.
All variables are configureable.
sudo virtport=80 hsport=80 hsname=hidden_service client=1 anon-auth-autogen
For example by changing client=1 to client=2 a second visitor credential pair could be created.
sudo virtport=80 hsport=80 hsname=hidden_service client=2 anon-auth-autogen
The script is not in any Whonix repository yet. This script requires Whonix 15 with testers repository because only that has ârealâ support for torrc.d.
1 Like
Shouldnât be since nothing can connect to the service without knowing its address. No race condition there. If this was part of adding a new authenticated user then service access may be temporarily disrupted for those already enrolled?
1 Like
In theory, no. (systemd) unit action reload (other than restart) keeps the (Tor) process running and only reloads the config. It should not result in service / connection interruptions.
1 Like