don't run arm as the tor user, Roger tells you why:
https://lists.torproject.org/pipermail/tor-relays/2016-May/009259.html

 
Interesting. I didn't know this, and I've always used "sudo -u" as well. Thanks for sharing. 

For the archives, the link above ultimately leads here: https://www.torproject.org/docs/tor-relay-debian#after (See step 13). The crux of it:

as the user that will be running arm, run "sudo adduser $USER debian-tor" to add your user to the debian-tor group so it can reach Tor's controlsocket. Then log out and log back in (so your user is actually in the group), and run "arm".