On Tue, May 23, 2017 at 01:43:37PM +1000, teor wrote:
HiddenServiceDir /var/lib/tor/SERVICE_NAME/
What are the permissions on each of the enclosing directories? (Tor checks permissions recursively in some cases.)
In 0.3.0.7, we made a number of hidden service checks stricter. Perhaps one of the checks is too strict.
Earlier in this thread, Alexander said: | The permissions on /var/lib/tor/SERVICE_NAME/ are "rwx--S---" and it's | owned by debian-tor, which worked for 0.2.9.10."
I asked weasel about this question, and he pointed me to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862993 which looks exactly like Alexander's issue.
It doesn't affect Debian by default, because Debian doesn't have apparmor enabled by default.
So, the short term workaround for Alexander would be to add the line that intrigeri suggests to the apparmor profile. The better fix imo will be for Tor to stop doing behavior that the apparmor profile wants to prevent, such as trying to read directories before it has switched uids. I'll open a ticket about that once I understand it more.
--Roger