Hello,
did anyone else run into a problem when upgrading from 0.2.9.10 to 0.3.0.7 on Ubuntu?
Tor is no longer starting, with these messages in syslog:
[notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc". [notice] Read configuration file "/etc/tor/torrc". [warn] Directory /var/lib/tor/SERVICE_NAME/ cannot be read: Permission denied [warn] Checking service directory /var/lib/tor/SERVICE_NAME/ failed. [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details. [err] Reading config failed--see warnings above.
The permissions on /var/lib/tor/SERVICE_NAME/ are "rwx--S---" and it's owned by debian-tor, which worked for 0.2.9.10.
Thanks, Alexander
On 22 May 2017, at 00:30, Alexander Dietrich alexander@dietrich.cx wrote:
Hello,
did anyone else run into a problem when upgrading from 0.2.9.10 to 0.3.0.7 on Ubuntu?
Tor is no longer starting, with these messages in syslog:
[notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc". [notice] Read configuration file "/etc/tor/torrc". [warn] Directory /var/lib/tor/SERVICE_NAME/ cannot be read: Permission denied [warn] Checking service directory /var/lib/tor/SERVICE_NAME/ failed. [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details. [err] Reading config failed--see warnings above.
The permissions on /var/lib/tor/SERVICE_NAME/ are "rwx--S---" and it's owned by debian-tor, which worked for 0.2.9.10.
What user is your tor process running as?
There should be a log line with the user name in it.
Or you could use something like ps.
Otherwise, you will need to check the command line and both config files for a User option.
T -- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On 2017-05-22 04:07, teor wrote:
The permissions on /var/lib/tor/SERVICE_NAME/ are "rwx--S---" and it's owned by debian-tor, which worked for 0.2.9.10.
What user is your tor process running as?
The Ubuntu packages from d.t.o run Tor as "debian-tor". I would expect 0.3.0.7 to do the same, but it dies immediately, so I'm not sure.
There should be a log line with the user name in it.
Or you could use something like ps.
Otherwise, you will need to check the command line and both config files for a User option.
None of the .service files contains a "User" option. (And systemd complains if you try to add one.)
T
Tim Wilson-Brown (teor)
Thanks, Alexander
The permissions on /var/lib/tor/SERVICE_NAME/ are "rwx--S---" and it's owned by debian-tor, which worked for 0.2.9.10.
What user is your tor process running as?
The Ubuntu packages from d.t.o run Tor as "debian-tor". I would expect 0.3.0.7 to do the same, but it dies immediately, so I'm not sure.
There should be a log line with the user name in it.
Or you could use something like ps.
Otherwise, you will need to check the command line and both config files for a User option.
None of the .service files contains a "User" option. (And systemd complains if you try to add one.)
You should not add a User option to the systemd service file.
Please post your configuration file /etc/tor/torrc (without sensitive content like password hashes)
On 2017-05-22 10:23, nusenu wrote:
Please post your configuration file /etc/tor/torrc (without sensitive content like password hashes)
It's not very exciting, with all comments removed:
---------- HeartbeatPeriod 1 hours SOCKSPort 0 HiddenServiceDir /var/lib/tor/SERVICE_NAME/ HiddenServicePort SERVICE_PORT ----------
Cheers, Alexander
On 23 May 2017, at 05:56, Alexander Dietrich alexander@dietrich.cx wrote:
On 2017-05-22 10:23, nusenu wrote:
Please post your configuration file /etc/tor/torrc (without sensitive content like password hashes)
It's not very exciting, with all comments removed:
HeartbeatPeriod 1 hours SOCKSPort 0 HiddenServiceDir /var/lib/tor/SERVICE_NAME/ HiddenServicePort SERVICE_PORT
What are the permissions on each of the enclosing directories? (Tor checks permissions recursively in some cases.)
In 0.3.0.7, we made a number of hidden service checks stricter. Perhaps one of the checks is too strict.
T -- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org ------------------------------------------------------------------------
On Tue, May 23, 2017 at 01:43:37PM +1000, teor wrote:
HiddenServiceDir /var/lib/tor/SERVICE_NAME/
What are the permissions on each of the enclosing directories? (Tor checks permissions recursively in some cases.)
In 0.3.0.7, we made a number of hidden service checks stricter. Perhaps one of the checks is too strict.
Earlier in this thread, Alexander said: | The permissions on /var/lib/tor/SERVICE_NAME/ are "rwx--S---" and it's | owned by debian-tor, which worked for 0.2.9.10."
I asked weasel about this question, and he pointed me to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862993 which looks exactly like Alexander's issue.
It doesn't affect Debian by default, because Debian doesn't have apparmor enabled by default.
So, the short term workaround for Alexander would be to add the line that intrigeri suggests to the apparmor profile. The better fix imo will be for Tor to stop doing behavior that the apparmor profile wants to prevent, such as trying to read directories before it has switched uids. I'll open a ticket about that once I understand it more.
--Roger
On Tue, May 23, 2017 at 03:32:49AM -0400, Roger Dingledine wrote:
The better fix imo will be for Tor to stop doing behavior that the apparmor profile wants to prevent, such as trying to read directories before it has switched uids. I'll open a ticket about that once I understand it more.
https://bugs.torproject.org/22331
--Roger
On 2017-05-23 09:32, Roger Dingledine wrote:
I asked weasel about this question, and he pointed me to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=862993 which looks exactly like Alexander's issue.
It doesn't affect Debian by default, because Debian doesn't have apparmor enabled by default.
The workaround suggested by intrigeri did the trick!
Thanks, Alexander
tor-relays@lists.torproject.org
-
Alexander Dietrich -
nusenu -
Roger Dingledine -
teor