Tor can't start (After Qubes Whonix templates Reinstall) - [warn] Directory /var/lib/tor/.tor cannot be read: Permission denied

Hi, I’m running Whonix on Qubes (R4.0), but I assume this is more about Tor Config than something else (but not sure maybe a critical template install error?),
anyway, I just updated my Whonix templates (all of them) from 13 to 14 through the Uninstall - Install Guide way.
this is supposed to be complete and working now but Tor on sys-whonix can’t start anymore :

ERROR: Tor Config Check Result:
Your Tor config file contains at least one error.
(Tor exit code: 1)
Tor concise reports (below warns and errors must be fixed before you can use Tor):
Oct 24 07:22:15.693 [warn] Directory /var/lib/tor/.tor cannot be read: Permission denied
Oct 24 07:22:15.693 [warn] Failed to parse/validate config: Couldn’t access private data directory “/var/lib/tor/.tor”
Oct 24 07:22:15.693 [err] Reading config failed–see warnings above.
Tor full reports:
Oct 24 07:22:15.690 [notice] Tor 0.3.3.9 (git-ca1a436fa8e53a32) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2.
Oct 24 07:22:15.690 [notice] Tor can’t help you if you use it wrong! Learn how to be safe at Tor Project | Download
Oct 24 07:22:15.690 [notice] Read configuration file “/etc/tor/torrc”.
Oct 24 07:22:15.693 [warn] Directory /var/lib/tor/.tor cannot be read: Permission denied
Oct 24 07:22:15.693 [warn] Failed to parse/validate config: Couldn’t access private data directory “/var/lib/tor/.tor”
Oct 24 07:22:15.693 [err] Reading config failed–see warnings above.
Try to look at this report yourself by running. dom0 → Start Menu → ServiceVM: sys-whonix → Terminal
sudo -u debian-tor tor --verify-config
To try to fix this, please open your Tor config file.
dom0 → Start Menu → ServiceVM: sys-whonix → Torrc
or in Terminal: sudo nano /usr/local/etc/torrc.d/50_user.conf

I’m wondering why this permission is now denied (aren’t templates supposed to still be unmodified just after install and working by default ? (but I guess I miss some knowledge about Qubes specificities)

How can I fix this to recover the initial working behavior ?

Thanks a lot for your help.

Hi vimuz

Did you create new sys-whonix, anon-whonix VMs? Or are you using the older VMs from Whonix 13?

Hi, i did not create new ones, I followed the Option 1a in
Uninstall Qubes-Whonix ™ and set all Whonix VMs templates to fedora during whonix uninstall, and thought the qubesctl command will handle to switch it back by itself as it is written that this command " - Configures sys-whonix and anon-whonix safely." How-to: Install the Stable Version of Qubes-Whonix ™ 16 .
But after the end of the whole process I realised VMs templates were still set to fedora and I manually switched it back to new whonix templates.

I’m quite glad it’s something known about VMs setting rather than just a Tor Config setting, it sounded like a little side effect of a wider problem.

So should I delete my VMs and create new ones ?
Is there any command to do it properly ?

Thank you really much.

vimuz:

Oct 24 07:22:15.693 [warn] Directory /var/lib/tor/.tor cannot be read: Permission denied

That folder /var/lib/tor/.tor has no place there. Wondering how it was
created. (If someone can figure out how users can possibly create that
folder, let me know.)

@vimuz could you try this please and see if that fixes it for you:

Tor Documentation for Whonix Users

Hi, I executed
sudo chown --recursive debian-tor:debian-tor /var/run/tor
then restart Tor, still something wrong :

● tor@default.service - Anonymizing overlay network for TCP
Loaded: loaded (/lib/systemd/system/tor@default.service; static; vendor preset: enabled)
Drop-In: /lib/systemd/system/tor@default.service.d
└─30_qubes.conf, 40_obfs4proxy-workaround.conf, 40_qubes.conf, 50_controlsocket-workaround.conf
Active: activating (auto-restart) (Result: exit-code) since Thu 2018-10-25 09:51:05 UTC; 15ms ago
Process: 3986 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=1/FAILURE)
Process: 3984 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor (code=exited, status=0/SUCCESS)

Oct 25 09:51:05 host systemd[1]: tor@default.service: Unit entered failed state.
Oct 25 09:51:05 host systemd[1]: tor@default.service: Failed with result ‘exit-code’.

• true 3
• true ‘Feel free to close this window.’
• sleep 86400

Nothing new actually

Oct 25 09:59:35.889 [notice] Tor 0.3.3.9 (git-ca1a436fa8e53a32) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2.
Oct 25 09:59:35.889 [notice] Tor can’t help you if you use it wrong! Learn how to be safe at Tor Project | Download
Oct 25 09:59:35.889 [notice] Read configuration file “/etc/tor/torrc”.
Oct 25 09:59:35.899 [warn] Directory /var/lib/tor/.tor cannot be read: Permission denied
Oct 25 09:59:35.899 [warn] Failed to parse/validate config: Couldn’t access private data directory “/var/lib/tor/.tor”
Oct 25 09:59:35.899 [err] Reading config failed–see warnings above.

Try to move that folder out of the way.

sudo mv /var/lib/tor/.tor /home/user/tor-strange-backup

Hi vimuz

Do you have any configuration options in /etc/tor/torrc? There should not be any.

Could you run this command please.

cat /etc/tor/torrc

Also, are you using Tor bridges or pluggable transport? If you are and are not in an area that censors Tor it might be easier to troubleshoot without those enabled. Please do not disable if you are in a censored area.

Please also apply:

. Tor - Whonix

I’m not using bridges neither pluggable transport,
I ran some cat, here are the results (I removed the usual comments to keep only effective lines)

/etc/tor/torrc :

%include /etc/torrc.d/95_whonix.conf

/etc/torrc.d/95_whonix.conf :

%include /usr/local/etc/torrc.d/40_anon_connection_wizard.conf
%include /usr/local/etc/torrc.d/50_user.conf

/usr/local/etc/torrc.d/40_anon_connection_wizard.conf :

DisableNetwork 0

/usr/local/etc/torrc.d/50_user.conf is empty

/usr/share/tor/tor-service-defaults-torrc :

DataDirectory /var/lib/tor
PidFile /var/run/tor/tor.pid
RunAsDaemon 1
User debian-tor

ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck
ControlSocketsGroupWritable 1
SocksPort unix:/var/run/tor/socks WorldWritable
SocksPort 9050

CookieAuthentication 1
CookieAuthFileGroupReadable 1
CookieAuthFile /var/run/tor/control.authcookie

Log notice file /var/log/tor/log

DisableNetwork 1

Log notice syslog
Log notice file /run/tor/log

mapaddress 1.1.1.1 k54ids7luh523dbi.onion
mapaddress 2.2.2.2 gbhpq7eihle4btsn.onion

VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1

TransPort 10.137.0.8:9040

DnsPort 10.137.0.8:5300 IsolateDestPort

SocksPort 10.137.0.8:9050
SocksPort 10.137.0.8:9100
SocksPort 10.137.0.8:9101 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9102 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9103 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9104
SocksPort 10.137.0.8:9105 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9106 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9107 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9108 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9109 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9110 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9111
SocksPort 10.137.0.8:9112
SocksPort 10.137.0.8:9113
SocksPort 10.137.0.8:9114 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9115 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9116 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9117 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9118 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9119
SocksPort 10.137.0.8:9120 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9121 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9122
SocksPort 10.137.0.8:9123
SocksPort 10.137.0.8:9124
SocksPort 10.137.0.8:9125

SocksPort 10.137.0.8:9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth

SocksPort 10.137.0.8:9152 IsolateDestAddr IsolateDestPort

SocksPort 10.137.0.8:9153
SocksPort 10.137.0.8:9154
SocksPort 10.137.0.8:9155
SocksPort 10.137.0.8:9156
SocksPort 10.137.0.8:9157
SocksPort 10.137.0.8:9158
SocksPort 10.137.0.8:9159

SocksPort 10.137.0.8:9160 IsolateDestAddr
SocksPort 10.137.0.8:9161 IsolateDestAddr
SocksPort 10.137.0.8:9162 IsolateDestAddr
SocksPort 10.137.0.8:9163 IsolateDestAddr
SocksPort 10.137.0.8:9164 IsolateDestAddr
SocksPort 10.137.0.8:9165 IsolateDestAddr
SocksPort 10.137.0.8:9166 IsolateDestAddr
SocksPort 10.137.0.8:9167 IsolateDestAddr
SocksPort 10.137.0.8:9168 IsolateDestAddr
SocksPort 10.137.0.8:9169 IsolateDestAddr

SocksPort 10.137.0.8:9170 IsolateDestPort
SocksPort 10.137.0.8:9171 IsolateDestPort
SocksPort 10.137.0.8:9172 IsolateDestPort
SocksPort 10.137.0.8:9173 IsolateDestPort
SocksPort 10.137.0.8:9174 IsolateDestPort
SocksPort 10.137.0.8:9175 IsolateDestPort
SocksPort 10.137.0.8:9176 IsolateDestPort
SocksPort 10.137.0.8:9177 IsolateDestPort
SocksPort 10.137.0.8:9178 IsolateDestPort
SocksPort 10.137.0.8:9179 IsolateDestPort

SocksPort 10.137.0.8:9180 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9181 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9182 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9183 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9184 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9185 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9186 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9187 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9188 IsolateDestAddr IsolateDestPort
SocksPort 10.137.0.8:9189 IsolateDestAddr IsolateDestPort

TransPort 127.0.0.1:9041

DnsPort 127.0.0.1:5400

SocksPort 127.0.0.1:9100

SocksPort 127.0.0.1:9101 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9102 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9103 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9104
SocksPort 127.0.0.1:9105 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9106 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9107 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9108 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9109 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9110 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9111
SocksPort 127.0.0.1:9112
SocksPort 127.0.0.1:9113
SocksPort 127.0.0.1:9114 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9115 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9116 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9117 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9118 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9119
SocksPort 127.0.0.1:9120 IsolateDestAddr IsolateDestPort
SocksPort 127.0.0.1:9121 IsolateDestAddr IsolateDestPort

SocksPort 127.0.0.1:9122
SocksPort 127.0.0.1:9123
SocksPort 127.0.0.1:9124
SocksPort 127.0.0.1:9125
SocksPort 127.0.0.1:9150 IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth

And here is the anon-verify :

_/===================================================================_
| Report Summary |
===================================================================/
Your Tor config files contain at least one error.
Tor verify exit code: 1
_/===================================================================_
| Tor Concise Report |
===================================================================/
Below warns and errors must be fixed before you can use Tor:
Oct 25 16:35:39.651 [warn] Directory /var/lib/tor cannot be read: Permission denied
Oct 25 16:35:39.651 [warn] Failed to parse/validate config: Couldn’t access private data directory “/var/lib/tor”
Oct 25 16:35:39.651 [err] Reading config failed–see warnings above.
_/===================================================================\ _
_| Tor Full Report | _
_===================================================================/ _
_Oct 25 16:35:39.642 [notice] Tor 0.3.3.9 (git-ca1a436fa8e53a32) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.1.0f, Zlib 1.2.8, Liblzma 5.2.2, and Libzstd 1.1.2. _
_Oct 25 16:35:39.642 [notice] Tor can’t help you if you use it wrong! Learn how to be safe at Tor Project | Download _
Oct 25 16:35:39.642 [notice] Read configuration file “/usr/share/tor/tor-service-defaults-torrc”.
Oct 25 16:35:39.642 [notice] Read configuration file “/etc/tor/torrc”.
Oct 25 16:35:39.649 [notice] You configured a non-loopback address ‘10.137.0.8:5300’ for DNSPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Oct 25 16:35:39.649 [notice] You configured a non-loopback address ‘10.137.0.8:9040’ for TransPort. This allows everybody on your local network to use your machine as a proxy. Make sure this is what you wanted.
Oct 25 16:35:39.651 [warn] Directory /var/lib/tor cannot be read: Permission denied
Oct 25 16:35:39.651 [warn] Failed to parse/validate config: Couldn’t access private data directory “/var/lib/tor”
Oct 25 16:35:39.651 [err] Reading config failed–see warnings above.
_/===================================================================_
| Used Tor Configuration Files |
===================================================================/
_5 files are used as Tor configuration files: _
/usr/share/tor/tor-service-defaults-torrc /etc/tor/torrc /etc/torrc.d/95_whonix.conf /usr/local/etc/torrc.d/40_anon_connection_wizard.conf /usr/local/etc/torrc.d/50_user.conf
=====================================================================

mv: cannot stat ‘/var/lib/tor/.tor’: No such file or directory

/var/lib/tor/.tor folder is gone now looks like.

sudo chown --recursive debian-tor:debian-tor /var/run/tor

sudo mv /var/lib/tor/.tor /home/user/tor-strange-backup

sudo ls -la /var/lib/tor

Output of that?

user@host:~$ sudo chown --recursive debian-tor:debian-tor /var/run/tor
user@host:~$ sudo mv /var/lib/tor/.tor /home/user/tor-strange-backup
mv: cannot stat ‘/var/lib/tor/.tor’: No such file or directory
user@host:~$ sudo ls -la /var/lib/tor
total 7872
drwx–S— 2 messagebus sdwdate 4096 Oct 23 21:09 .
drwxr-xr-x 40 root root 4096 Jul 17 18:37 …
-rw------- 1 messagebus sdwdate 20442 Oct 16 17:15 cached-certs
-rw------- 1 messagebus sdwdate 2039492 Oct 23 19:43 cached-microdesc-consensus
-rw------- 1 messagebus sdwdate 5259537 Oct 21 11:00 cached-microdescs
-rw------- 1 messagebus sdwdate 704322 Oct 23 20:50 cached-microdescs.new
-rw------- 1 messagebus sdwdate 0 Oct 18 07:05 lock
-rw------- 1 messagebus sdwdate 17682 Oct 23 21:09 state

Wrong command. Sorry. Again please.

sudo chown --recursive debian-tor:debian-tor /var/lib/tor

Great ! that is the one, Tor is working right now, Thanks a lot !