Hi Johannes,
Johannes:
I'd like to use a unix domain socket as HiddenServicePort target so I can remove networking capabilities from my hidden service's server process. Tor does not connect to my socket, though. Tor's debug level logging does not show any (comprehensible) errors. This is very frustrating to debug!
Because of the documentation of unix domain sockets in *other* parts of Tor, like ControlPort, SocksPort et. al., I suspect it is about permissions.
How *exactly* are the requirements of ownership and permissions of the socket and its directory and why? This is totally under-documented!
A unix socket should be readable and writeable for the user under which you're running tor ("tor", "_tor" etc). As well as for the server (nginx or whatever). So you need some combination that provides 'rw-' access for all relevant users ("nginx"/"www", "tor"/"_tor"...). E.g. this can be accomplished by adding these users to some "onionservice" group or whichever you like.
P.S. You can test connectivity with `curl` by running something like this: $ curl --unix-socket /path/to/socket http:///
-- Sweet onions, Ivan Markin