I just installed tor on a Raspberry Pi 3 Model B and can't get a relay to start unless I sudo. When I attempt to start tor as a non-privileged user I get a permissions error: Opening Jan 05 18:33:35.929 [notice] Opening OR listener on 0.0.0.0:443 Jan 05 18:33:35.930 [warn] Could not bind to 0.0.0.0:443: Permission denied Jan 05 18:33:35.930 [notice] Opening Directory listener on 0.0.0.0:80 Jan 05 18:33:35.930 [warn] Could not bind to 0.0.0.0:80: Permission denied Ideas on best method to bind these ports to tor on startup as non-root?
Thanks
On Thu, Jan 05, 2017 at 06:38:23PM -0800, Kurt Besig wrote:
I just installed tor on a Raspberry Pi 3 Model B and can't get a relay to start unless I sudo. When I attempt to start tor as a non-privileged user I get a permissions error: Opening Jan 05 18:33:35.929 [notice] Opening OR listener on 0.0.0.0:443 Jan 05 18:33:35.930 [warn] Could not bind to 0.0.0.0:443: Permission denied Jan 05 18:33:35.930 [notice] Opening Directory listener on 0.0.0.0:80 Jan 05 18:33:35.930 [warn] Could not bind to 0.0.0.0:80: Permission denied Ideas on best method to bind these ports to tor on startup as non-root?
If you're using the deb, it's actually intended to be started as root ("service tor start"), and it drops privileges once it binds to the ports.
Using the deb init script is also smart because it does things like fixing "ulimit -n" for you so it doesn't default to 1024 (which is way too low for a useful relay).
If you want to use iptables rules to do forwarding instead, check out https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#HowcanImakemyrelaya...
(We haven't moved that faq entry to the main faq because the deb just handles it for you.)
(All of this might be a lie for Raspbian. I hope not though.)
--Roger
On 1/5/2017 6:50 PM, Roger Dingledine wrote:
On Thu, Jan 05, 2017 at 06:38:23PM -0800, Kurt Besig wrote:
I just installed tor on a Raspberry Pi 3 Model B and can't get a relay to start unless I sudo. When I attempt to start tor as a non-privileged user I get a permissions error: Opening Jan 05 18:33:35.929 [notice] Opening OR listener on 0.0.0.0:443 Jan 05 18:33:35.930 [warn] Could not bind to 0.0.0.0:443: Permission denied Jan 05 18:33:35.930 [notice] Opening Directory listener on 0.0.0.0:80 Jan 05 18:33:35.930 [warn] Could not bind to 0.0.0.0:80: Permission denied Ideas on best method to bind these ports to tor on startup as non-root?
If you're using the deb, it's actually intended to be started as root ("service tor start"), and it drops privileges once it binds to the ports.
Using the deb init script is also smart because it does things like fixing "ulimit -n" for you so it doesn't default to 1024 (which is way too low for a useful relay).
If you want to use iptables rules to do forwarding instead, check out https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#HowcanImakemyrelaya...
(We haven't moved that faq entry to the main faq because the deb just handles it for you.)
(All of this might be a lie for Raspbian. I hope not though.)
--Roger
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
What a great community, all terrific suggestions to my problem. I tried easy first, Roger's suggestion, and voila! A check of /var/log/tor/log indicates all is well. Sometimes simple is best. Now let's see if the relay's descriptor gets published and what bw adjustments are necessary. One of our more vocal ops and all her questioning got me interested in trying out an inexpensive alternative, so we'll see what opinions, questions, suggestions, I come up with. :-)
Thanks again.
On Thu, Jan 5, 2017 at 9:38 PM, Kurt Besig kbesig@socal.rr.com wrote:
Ideas on best method to bind these ports to tor on startup as non-root?
It's an ancient unix security trust thing (today aka: lol). Anything uid != 0 is denied bind to 0~1023. So you can't without tricks. Linux probably has some knob like FreeBSD's... sysctl net.inet.ip.portrange.reserved{low,high} If not, FreeBSD can also probably run fine on your Pi. You could also run NAT to redir low ports to high ports. Or hack the kernel to remove the limit. Or see the tor manpage and choose ports greater than 1023 for your relay service. Or the deb bits Roger hinted at.
On a Pi 3 the official packages seem to work, so you can simply follow the instructions on the Tor website: https://www.torproject.org/docs/debian.html.en
Use "Option two" and ignore the "Raspbian is not Debian" paragraph.
Best regards, Alexander
--- PGP Key: https://dietrich.cx/pgp | 0x52FA4EE1722D54EB
On 2017-01-06 06:37, Petrusko wrote:
Hey, Tor from Raspbian Repo is not very updated... v0.2.5... On a RPi, I usually build Tor Stable from source. No problem about using ports >1024 in my case.
Some dependencies required... (sorry, I don't remember which ones...)
Add source repo in your /etc/apt/sources.list
At the bottom of the file :
#TOR stable - pour building from source deb-src http://deb.torproject.org/torproject.org jessie main
- Compil Tor from source with a script, in my home folder (for example):
nano tor-compil.sh I use "root" user.
#!/bin/bash # init function pause(){ read -p "$*" } mkdir ~/debian-packages cd ~/debian-packages rm * -R apt-get source tor cd tor-* debuild -rfakeroot -uc -us cd .. pause 'Press [Enter] key to continue... Installation TOR' dpkg -i tor_*.deb tor-*.deb
exit 0
Then chmod +x tor-compil.sh
./tor-compil.sh
Hope it will help!
Le 06/01/2017 à 03:38, Kurt Besig a écrit :
I just installed tor on a Raspberry Pi 3 Model B and can't get a relay to start unless I sudo. When I attempt to start tor as a non-privileged user I get a permissions error: Opening Jan 05 18:33:35.929 [notice] Opening OR listener on 0.0.0.0:443 Jan 05 18:33:35.930 [warn] Could not bind to 0.0.0.0:443: Permission denied Jan 05 18:33:35.930 [notice] Opening Directory listener on 0.0.0.0:80 Jan 05 18:33:35.930 [warn] Could not bind to 0.0.0.0:80: Permission denied Ideas on best method to bind these ports to tor on startup as non-root?
Thanks
-- Petrusko C0BF 2184 4A77 4A18 90E9 F72C B3CA E665 EBE2 3AE5
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
tor-relays@lists.torproject.org
-
Alexander Dietrich -
grarpamp -
Kurt Besig -
Petrusko -
Roger Dingledine