694986 – net-vpn/tor: can't read its own files when run via systemd service

Bug 694986 - net-vpn/tor: can't read its own files when run via systemd service

Summary: net-vpn/tor: can't read its own files when run via systemd service

Status:	CONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	John Helmert III

URL:
Whiteboard:
Keywords:	PullRequest

Depends on:
Blocks:

Reported:	2019-09-19 20:53 UTC by Michał Górny
Modified:	2023-01-29 05:22 UTC (History)
CC List:	3 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/26430
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michał Górny archtester

2019-09-19 20:53:55 UTC

This is really weird.  When I try to start Tor for the second time, it outputs into Journal:

wrz 19 22:50:40 pomiot tor[151908]: Sep 19 22:50:40.018 [notice] Tor 0.4.1.5 running on Linux with Libevent 2.1.11-stable, OpenSSL 1.1.1c, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd N/A.
wrz 19 22:50:40 pomiot tor[151908]: Sep 19 22:50:40.018 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
wrz 19 22:50:40 pomiot tor[151908]: Sep 19 22:50:40.018 [notice] Read configuration file "/etc/tor/torrc".
wrz 19 22:50:40 pomiot tor[151908]: Sep 19 22:50:40.040 [warn] Directory /var/lib/tor/ssh cannot be read: Permission denied
wrz 19 22:50:40 pomiot tor[151908]: Sep 19 22:50:40.040 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.


Interesting enough, it created that directory in the previous run, and it's owned by tor:tor, u+rwx.  This really makes no sense to me.

Comment 1 Michał Górny archtester

2019-09-20 22:11:49 UTC

CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE

seems to be responsible for that.  If I remove it, Tor starts fine.

Comment 2 Michał Górny archtester

2019-09-20 22:19:17 UTC

I think the issue is that we're starting Tor as root but restricting its privileges.  It tries to reads its own configuration before dropping privileges to 'tor' user but it doesn't have capability to read other user's files.

I've been able to come up with two possible solutions:

1. Add CAP_DAC_READ_SEARCH to let it read other users files before changing user.

2. Set User in systemd service, and remove it from torrc.  Then Tor will start as unprivileged user but it will at least have access to its own files.

No clue if option 2. doesn't have any corner cases though.

Comment 3 poncho 2019-10-12 15:09:47 UTC

(In reply to Michał Górny from comment #2)
> 2. Set User in systemd service, and remove it from torrc.  Then Tor will
> start as unprivileged user but it will at least have access to its own files.

This is what I'm currently using:

[OVERRIDDEN] /etc/systemd/system/tor.service → /lib/systemd/system/tor.service

--- /lib/systemd/system/tor.service     2019-10-10 12:50:16.422262877 +0200
+++ /etc/systemd/system/tor.service     2019-10-12 17:01:34.236049999 +0200
@@ -21,9 +21,9 @@
 LimitNOFILE=32768
 
 # Hardening
-Group=tor
+User=tor
 RuntimeDirectory=tor
-RuntimeDirectoryMode=0770
+RuntimeDirectoryMode=0750
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectHome=yes


This would allow settings like
SocksPort unix:/var/run/tor/socks GroupWritable
ControlPort unix:/var/run/tor/control GroupWritable
without changing tor.service

Those are the common paths expected by most applications: 
https://trac.torproject.org/projects/tor/wiki/doc/Tor_friendly_applications_best_practices#networkconfiguration