sys-whonix can't connect to Tor / /var/lib/tor owned by sdwdate:kvm permission bug

Qubes-Whonix
1

Yesterday I did a clean install of the Whonix template (workstation and gateway) and now sys-whonix can’t connect to Tor. I ran sdwdate-gui to sync the time before I executed the following commands.

$ sudo whonixsetup

“sudo service tor@default status” returned non-zero exit code , which means Tor does NOT work.

Maybe your Whonix-Gateway has only one network card attached? Most likely there is something wrong with your /etc/tor/torrc.

You can try to manually edit /etc/tor/torrc:

Start Menu -> Applications -> Torrc

Running:

sudo service tor@default restart

might help with troubleshooting.

$ sudo service tor@default restart

Job for tor@default.service failed. See ‘systemctl status tor@default.service’ and ‘journalctl -xn’ for details.

$ systemctl status tor@default.service
> ● tor@default.service - Anonymizing overlay network for TCP
> Loaded: loaded (/lib/systemd/system/tor@default.service; static)
> Active: failed (Result: start-limit) since Fri 2016-06-10 16:40:24 UTC; 6s ago
> Process: 9869 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=1/FAILURE)
> Process: 9866 ExecStartPre=/usr/bin/install -Z -m 02750 -o debian-tor -g debian-tor -d /var/run/tor (code=exited, status=0/SUCCESS)

$ journalctl -xn

No journal files were found

$ cat /etc/tor/torrc

# This file is part of Whonix
# Copyright (C) 2012 - 2013 adrelanos <adrelanos at riseup dot net>
# See the file COPYING for copying conditions.

# Use this file for your user customizations.
# Please see /etc/tor/torrc.examples for help, options, comments etc.

# Anything here will override Whonix's own Tor config customizations in
# /usr/share/tor/tor-service-defaults-torrc

# Enable Tor through whonixsetup or manually uncomment "#DisableNetwork 0" by
# removing the # in front of it.
DisableNetwork 0

I can now use whonixcheck after running whonixsetup.

$ whonixcheck

[INFO] [whonixcheck] sys-whonix | Whonix-Gateway | whonix-gw Template-Based ProxyVM | Fri Jun 10 16:46:04 UTC 2016
[ERROR] [whonixcheck] Tor Config Check Result:
Your /etc/tor/torrc file contains at least one error.

(Tor exit code: 1)

Tor reports:
Jun 10 16:46:06.876 [notice] Tor v0.2.7.6 (git-605ae665009853bd) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1t and Zlib 1.2.8.
Jun 10 16:46:06.876 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 10 16:46:06.876 [notice] Read configuration file "/etc/tor/torrc".
Jun 10 16:46:06.879 [warn] Directory /var/lib/tor/.tor cannot be read: Permission denied
Jun 10 16:46:06.879 [warn] Failed to parse/validate config: Couldn't access/create private data directory "/var/lib/tor/.tor"
Jun 10 16:46:06.879 [err] Reading config failed--see warnings above.

You have to fix this error, before you can use Tor.

Try to look at this report yourself by running.

dom0 -> Start Menu -> ServiceVM: sys-whonix -> Terminal

sudo -u debian-tor tor --verify-config

And.

sudo -u debian-tor tor --verify-config -f /etc/tor/torrc

To try to fix this, please open your Tor config file.

    dom0 -> Start Menu -> ServiceVM: sys-whonix -> Torrc
    or in Terminal: sudo nano /etc/tor/torrc

Please restart Tor after fixing this error.

    dom0 -> Start Menu -> ServiceVM: sys-whonix -> Restart Tor
    or in Terminal: sudo service tor@default restart

Restart whonixcheck after fixing this error.

    dom0 -> Start Menu -> ServiceVM: sys-whonix -> Whonix Check
    or in Terminal: whonixcheck

If you know what you are doing or if this is a false positive, feel free to disable this check.
Create a file /etc/whonix.d/50_whonixcheck_user and add:
whonixcheck_skip_functions+=" check_tor_config "
user@host:~$ cat /etc/tor/torrc
# This file is part of Whonix
# Copyright (C) 2012 - 2013 adrelanos <adrelanos at riseup dot net>
# See the file COPYING for copying conditions.

# Use this file for your user customizations.
# Please see /etc/tor/torrc.examples for help, options, comments etc.

# Anything here will override Whonix's own Tor config customizations in
# /usr/share/tor/tor-service-defaults-torrc

# Enable Tor through whonixsetup or manually uncomment "DisableNetwork 0" by
# removing the # in front of it.
DisableNetwork 0

$ sudo -u debian-tor tor --verify-config

Jun 10 16:50:07.808 [notice] Tor v0.2.7.6 (git-605ae665009853bd) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1t and Zlib 1.2.8.
Jun 10 16:50:07.808 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 10 16:50:07.808 [notice] Read configuration file "/etc/tor/torrc".
Jun 10 16:50:07.811 [warn] Directory /var/lib/tor/.tor cannot be read: Permission denied
Jun 10 16:50:07.811 [warn] Failed to parse/validate config: Couldn't access/create private data directory "/var/lib/tor/.tor"
Jun 10 16:50:07.811 [err] Reading config failed--see warnings above.

$ sudo -u debian-tor --verify-config -f /etc/tor/torrc

Jun 10 16:51:26.821 [notice] Tor v0.2.7.6 (git-605ae665009853bd) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1t and Zlib 1.2.8.
Jun 10 16:51:26.821 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jun 10 16:51:26.821 [notice] Read configuration file "/etc/tor/torrc".
Jun 10 16:51:26.823 [warn] Directory /var/lib/tor/.tor cannot be read: Permission denied
Jun 10 16:51:26.823 [warn] Failed to parse/validate config: Couldn't access/create private data directory "/var/lib/tor/.tor"
Jun 10 16:51:26.823 [err] Reading config failed--see warnings above.
2

Check Tor logs for error messages.

( Tor - Whonix )

3

Disregard my last message. I did not notice you edited your message.

This required sudo btw. Not required at the moment.

More answers soon…

4

I wonder how you managed to get a /var/lib/tor/.tor folder? Did you try to restore a file backup?

Please run the following command.

sudo ls -la /var/lib/tor

The following command should fix the permission issues.

sudo chown --recursive debian-tor:debian-tor /var/lib/tor
5

No. I just wanted to reinstall whonix to get a clean workstation template. I’ve never touched whonix-gw or sys-whonix.

  1. Cloned whonix-gw
  2. Changed sys-whonix’s template to the clone (whonix-gw-old)
  3. Remove whonix templates
  4. Install whonix templates
  5. Change sys-whonix’s template back to whonix-gw
total 8520
drwx--S---  2 sdwdate kvm     4096 Jun  9 20:26 .
drwxr-xr-x 50 root    root    4096 Jun 10 08:33 ..
-rw-------  1 sdwdate kvm    20442 Jun  5 06:01 cached-certs
-rw-------  1 sdwdate kvm  1398944 Jun  9 20:19 cached-microdesc-consensus
-rw-------  1 sdwdate kvm  6937506 Jun  9 06:22 cached-microdescs
-rw-------  1 sdwdate kvm   345295 Jun  9 20:21 cached-microdescs.new
-rw-------  1 sdwdate kvm        0 Jun  9 19:31 lock
-rw-------  1 sdwdate kvm     3538 Jun  9 20:26 state

It did the magic! Works now without any problems.

6

I have been able to reproduce this issue and was investigating.

python-stem might mess up permissions in /var/lib/tor folder?
https://www.whonix.org/pipermail/whonix-devel/2016-June/000653.html

7

I’ve experienced this /var/lib/tor permission issue myself today. Starting fresh with all Whonix templates and Whonix based VMs using a fresh build. Since then I was unable to reproduce this. Added two enhancements to ease debugging this which will be deployed in Whonix 14.

8

Reproduced this issue by accident:

  1. Installed clean Qubes 3.1 including Whonix Templates.
  2. Created sys-whonix ProxyVM.
  3. Updated all Templates + dom0.
  4. Encountered Meta-Package warning, then remembered that Qubes 3.1 still installs Whonix 12.
  5. Reassigned sys-whonix to temporary Template.
  6. Removed Whonix 12 Templates.
  7. Installed Whonix 13 Templates.
  8. Attached existing sys-whonix to new Whonix 13 Template.
  9. Starting sys-whonix produced this exact issue.

Edit: Wrong order 2<->3

1 Like