This one is still the case, in sys-whonix. Package versions for double checking if fix got included in the test: Qubes OS openQA: sut_packages.txt
2 Likes
and from a moment ago:
[ERROR] [systemcheck] Tor Config Check Result:
Your Tor config file contains at least one error.
(Tor exit code: 1)
Tor concise reports (below warns and errors must be fixed before you can use Tor):
Mar 16 21:09:14.115 [warn] Directory /home/user/.tor cannot be read: Permission denied
Mar 16 21:09:14.116 [warn] Failed to parse/validate config: Couldn't access private data directory "/home/user/.tor"
Mar 16 21:09:14.116 [err] Reading config failed--see warnings above.
Tor full reports:
Mar 16 21:09:14.110 [notice] Tor 0.4.8.13 running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.15, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
Mar 16 21:09:14.110 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://support.torproject.org/faq/staying-anonymous/
Mar 16 21:09:14.110 [notice] Read configuration file "/etc/tor/torrc".
Mar 16 21:09:14.111 [notice] Processing configuration path "/etc/torrc.d/*.conf" at recursion level 1.
Mar 16 21:09:14.111 [notice] Including configuration file "/etc/torrc.d/60_network.conf".
Mar 16 21:09:14.111 [notice] Including configuration file "/etc/torrc.d/65_gateway.conf".
Mar 16 21:09:14.111 [notice] Including configuration file "/etc/torrc.d/65_leak_tests.conf".
Mar 16 21:09:14.111 [notice] Including configuration file "/etc/torrc.d/70_workstation.conf".
Mar 16 21:09:14.111 [notice] Processing configuration path "/usr/share/tor/tor-service-defaults-torrc.anondist" at recursion level 2.
Mar 16 21:09:14.111 [notice] Including configuration file "/usr/share/tor/tor-service-defaults-torrc.anondist".
Mar 16 21:09:14.112 [notice] Including configuration file "/etc/torrc.d/95_whonix.conf".
Mar 16 21:09:14.112 [notice] Processing configuration path "/usr/local/etc/torrc.d/*.conf" at recursion level 2.
Mar 16 21:09:14.112 [notice] Including configuration file "/usr/local/etc/torrc.d/40_tor_control_panel.conf".
Mar 16 21:09:14.112 [notice] Including configuration file "/usr/local/etc/torrc.d/50_user.conf".
Mar 16 21:09:14.114 [notice] You configured a non-loopback address '10.137.0.8:5300' for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Mar 16 21:09:14.114 [notice] You configured a non-loopback address '10.137.0.8:9040' for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Mar 16 21:09:14.115 [warn] Directory /home/user/.tor cannot be read: Permission denied
Mar 16 21:09:14.116 [warn] Failed to parse/validate config: Couldn't access private data directory "/home/user/.tor"
Mar 16 21:09:14.116 [err] Reading config failed--see warnings above.
This is something new, I haven’t seen it before.
2 Likes
Actually, for the last one I have a diff of packages version from last good test (yesterday):
-whonix-gateway-17: ii dist-base-files 3:12.5-1 all base files for distributions
+whonix-gateway-17: ii dist-base-files 3:12.6-1 all base files for distributions
-whonix-gateway-17: ii helper-scripts 3:27.7-1 all Helper scripts useful for Linux Distributions
+whonix-gateway-17: ii helper-scripts 3:28.1-1 all Helper scripts useful for Linux Distributions
-whonix-gateway-17: ii initializer-dist 3:7.2-1 all Initializes Linux distributions, Release Upgrades and Legacy
+whonix-gateway-17: ii initializer-dist 3:7.3-1 all Initializes Linux distributions, Release Upgrades and Legacy
-whonix-gateway-17: ii open-link-confirmation 3:6.5-1 all Asks for confirmation before opening links
+whonix-gateway-17: ii open-link-confirmation 3:6.6-1 all Asks for confirmation before opening links
-whonix-gateway-17: ii privleap 3:2.6-1 all Limited privilege escalation framework
+whonix-gateway-17: ii privleap 3:2.7-1 all Limited privilege escalation framework
-whonix-gateway-17: ii setup-dist 3:10.9-1 all First Time Connection Setup
-whonix-gateway-17: ii setup-wizard-dist 3:11.5-1 all First Boot Setup
+whonix-gateway-17: ii setup-dist 3:11.1-1 all First Time Connection Setup
+whonix-gateway-17: ii setup-wizard-dist 3:11.6-1 all First Boot Setup
-whonix-gateway-17: ii systemcheck 3:33.5-1 all Anonymity and security check
+whonix-gateway-17: ii systemcheck 3:33.7-1 all Anonymity and security check
-whonix-gateway-17: ii usability-misc 3:26.2-1 all Misc usability improvements
+whonix-gateway-17: ii usability-misc 3:26.3-1 all
(- are good run, + are from bad run)
2 Likes
Thank you!
Diagnosed. We’ll be working on that next.
1 Like
BTW, the journal check in systemcheck looks super useful, I consider adding something similar to non-whonix tests too. Currently I have only a check looking for failed systemd services, but not the generic check for logs. Is there a way to run subset of systemcheck outside of whonix/kicksecure? It looks to have a few kicksecure-specific dependencies…
2 Likes
Glad you like it! 
Dependency on msgcollector, helper-scripts, privleap would make it difficult to use it truly standalone as in self-contained in a single repository.
However, it should be possible to install systemcheck on Debian because Kicksecure supports installation using Distribution Morphing - Transforming of a Linux Distribution into Another Linux Distribution (instructions: Install Kicksecure inside Debian).
Kicksecure Packages for Debian Hosts and Kicksecure Host Enhancements → sudo apt install systemcheck
Should there be any undocumented dependencies, issues running on Debian, I would look into it. Might not be hard to fix compatibility.
systemcheck also already supported to run only a select function using, example:
systemcheck --verbose --function check_journal
1 Like
I wonder about Fedora (and possibly others like Arch) templates too… I guess I can try.
2 Likes
Done. This is now in the testers repository.
1 Like
I’ve got this message again in today’s test in whonix-gateway-17 (but not sys-whonix?).
2 Likes
Cannot reproduce on Qubes R4.3 with a whonix-gateway-17 template fully updated from the bookworm-developers repos for Kicksecure and Whonix. I’m not aware of any recent changes that could have caused this - the last thing we added that creates directories under $TMPDIR was a malicious unicode scanner script, and that is never run automatically, so that’s almost certainly not the problem since the /tmp/user/1000 directory is getting hijacked before login.
(FWIW, in case this was a race condition, I tried to reproduce by booting the fully updated VM described above five or six times, running systemcheck --verbose for each boot. Could not get the issue to reproduce even once.)
2 Likes
I’ve reviewed, refactored all our code interacting with TMP and made sure to no longer write to it directly outside of mktemp. So this issue is hopefully fixed.
2 Likes