tor services permissions problem

[PsySc0rpi0n]

Hello. Here I am again.

I'm setting up an hidden Tor service and according to the service docs I have all set up, however, I'm getting an error message about one of the settings I have in one of the config files of Tor.

For security purposes I'll use different names and port numbers to describe the issue.

In /var/log/tor/log, I keep getting this warn:

Code: Select all

Aug 24 11:23:51.000 [warn] Unable to make /var/lib/tor group-readable: Permission denied

My /etc/tor/torrc file is this:

Code: Select all

SOCKSPort 1000
ControlPort 1001

HiddenServiceDir /var/lib/tor/test-service/
HiddenServicePort 1010 127.0.0.1:1010
HiddenServiceVersion 2

In file /usr/share/tor/tor-service-defaults-torrc I have

Code: Select all

DataDirectory /var/lib/tor
 PidFile /var/run/tor/tor.pid
 RunAsDaemon 1
 User debian-tor

 ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck
 ControlSocketsGroupWritable 1
 DataDirectoryGroupReadable  1 # Added from https://wiki.archlinux.org/inex.php/tor by me on 17/0/2019
 SocksPort unix:/var/run/tor/socks WorldWritable
 SocksPort 1000 # Changed by me from 9050 to 1000 by me on 17/08/2019

 CookieAuthentication 1
 CookieAuthFileGroupReadable 1
 CookieAuthFile /var/run/tor/control.authcookie

 Log notice file /var/log/tor/log

User running tor:

Code: Select all

debian-tor  1339  0.3  0.2  91652 40128 ?        Ss   ago23   4:04 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0

Permissions in folders of interest:

Code: Select all

$ ls -lah /var/lib/tor
total 6,3M
drwxr-x---  3 debian-tor debian-tor 4,0K ago 24 14:22 .
drwxr-xr-x 81 root       root       4,0K ago 15 09:21 ..
drwx--S---  2 debian-tor debian-tor 4,0K ago 24 11:23 test-service
-rw-------  1 debian-tor debian-tor  20K ago 15 09:21 cached-certs
-rw-------  1 debian-tor debian-tor 2,1M ago 24 13:15 cached-microdesc-consensus
-rw-------  1 debian-tor debian-tor 4,0M ago 23 21:27 cached-microdescs
-rw-------  1 debian-tor debian-tor 293K ago 24 13:36 cached-microdescs.new
-rw-r-----  1 debian-tor debian-tor   32 ago 17 17:31 control_auth_cookie
-rw-------  1 debian-tor debian-tor    0 ago 23 20:57 lock
-rw-------  1 debian-tor debian-tor 3,7K ago 24 14:22 state

So, if I'm not mistaken, user running tor is "debian-tor" and as ownership of /var/lib/tor is "debian-tor:debian-tor", there shoul be no permissions issues, right?
So, what might be the problem?

[Bloom]

To change the ownership of system directories, you need to be root.
So use

Code: Select all

$ sudo chown ...

and it should work fine.

[PsySc0rpi0n]

To change the ownership of system directories, you need to be root.
So use

Code: Select all

$ sudo chown ...

and it should work fine.

If I'm not missing anything, all ownership is as it should. There's something else causing this problem. Or if it is ownership problem, I know how to change them. I just don't know what to change and to what to change!

[Bloom]

Your error is "Unable to make /var/lib/tor group-readable: Permission denied"
That means the installation script is trying chown of that directory without sudo/root, then you get that error.
If the directory is already created with the proper permissions, you can ignore that error. If the installation script halts after that error, find the chown /var/lib/tor and prepend sudo.

[PsySc0rpi0n]

Your error is "Unable to make /var/lib/tor group-readable: Permission denied"
That means the installation script is trying chown of that directory without sudo/root, then you get that error.
If the directory is already created with the proper permissions, you can ignore that error. If the installation script halts after that error, find the chown /var/lib/tor and prepend sudo.

I'm not sure if by "the installation script" you mean tor service. If so, it's not supposed that tor must run as root.

[postcd]

I can also see it in journal:

audit[1335]: AVC apparmor="DENIED" operation="chmod" profile="system_tor" name="/var/lib/tor/" pid=1335 comm="tor" requested_mask="w" denied_mask="w" fsuid=116 ouid=116
tor[1335]: [warn] Unable to make /var/lib/tor group-readable: Permission denied

Debian 11, 5.10.0-17-amd64
$ tor --version
Tor version 0.4.5.10.

My custom hidden service directory has debian-tor rights including its contents. And is chmod 700.
i did chmod g+r and also chmod g+w to /var/lib/tor but it still complains as shown above, i think that Tor should not to try make that dir. group readable if it is already set as such?

$ sudo chmod g+rw /var/lib/tor && sudo stat /var/lib/tor
Access: (0770/drwxrwx---) Uid: ( 116/debian-tor) Gid: ( 125/debian-tor)

Files in that folder are:

-rw------- 1 debian-tor debian-tor

So while it still shows above erros, i have chmod /var/lib/tor back to 750

[reinob]

You have a broken installation.

/var/lib/tor should have the set-group-ID bit set (rwx--S---)

This is done by the tor postinst (chmod 02700 /var/lib/tor).