[tor-bugs] #26181 [Core Tor/Tor]: Systemd fails to load included service files tor at .service or tor at default.service

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed May 23 22:25:52 UTC 2018


#26181: Systemd fails to load included service files tor at .service or
tor at default.service
------------------------------+--------------------------------
     Reporter:  d3m0nkingx    |      Owner:  (none)
         Type:  defect        |     Status:  new
     Priority:  Very High     |  Milestone:  Tor: 0.3.3.x-final
    Component:  Core Tor/Tor  |    Version:  Tor: 0.3.3.6
     Severity:  Major         |   Keywords:
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+--------------------------------
 '''__Environment:__'''

 Ubuntu 16.04.4 (linux kernel 4.16.0-041600-generic)

 Tor version 0.3.3.6 (git-c9903102c98cd028).

  systemd version 229

 +PAM +AUDIT +SELINUX +IMA +APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP
 +GCRYPT +GNUTLS +ACL +XZ -LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD -IDN


 ----------------------------------------------------------------------

 I had to completely redo the service files in order to get it to actually
 load with systemd

 Firstly I disabled the init script for tor in /etc/init.d/tor:

 '''update-rc.d disable tor'''

 Then made changes to tor.service torrc and system_tor files as everything
 was basically conflicting with each other, mainly with apparmor denying
 access to /var/run because the apparmor system_tor authorized paths for
 the cookie file was not matching with what the torrc default path is, so I
 had to update either system_tor or change the path in torrc this file to
 reflect this, so I went with updating apparmor's profile as well as adding
 a couple more variations of the cookie file.

 I had to also add the following lines to tor.service:

 '''!RuntimeDirectory=tor'''

 '''!RuntimeDirectoryMode=0700'''

 In order for tor to actually initialize and create the files in the
 /var/run directory as anything with permissions allowing more than the
 owner would issue a warning and fail.

 --------

 I also added some of the configuration from /etc/default/tor to torrc
 because that file was only used by the /etc/init.d/tor scrip, which is not
 touched when using systemd to start tor.

 From what I tested, tor will not start with systemd if defining user/group
 as any other than root when it tries to create/read/write to the
 /var/run/tor directory, as I get the warning for example setting  'User
 demon' in torrc and User=demon Group=sudo in tor.service results in:

  * [notice] Opening Socks listener on /var/run/tor/socks

  * [warn] Unable to chown() /var/run/tor/socks socket: Operation not
 permitted.

  * [notice] Opening Socks listener on 127.0.0.1:9050

  * [warn] /var/run/tor is not owned by this user (root, 0) but by demon
 (1000). Perhaps you are running Tor as the wrong user?

  * [warn] Before Tor can create a control socket in "/var/run/tor/socks",
 the directory "/var/run/tor" needs to exist, and to be accessible only by
 the user and group account that is running Tor.  (On some Unix systems,
 anybody who can list a socket can connect to it, so Tor is being careful.)



  * [notice] Closing partially-constructed Socks listener on 127.0.0.1:9050

  * [warn] Failed to parse/validate config: Failed to bind one of the
 listener ports.

  * [err] Reading config failed--see warnings above.

 This seems to be an issue with tor and not systemd. T

 The files I've attached are setup where tor successfully loads with
 systemd using User root group=root.

 Lastly the other modification I had to make was in
 /etc/apparmor.d/system_tor wherefore the default cookie locations are
 mismatched between apparmor and tor:

 apparmor.d/system_tor sets the cookie path as:

 '''  /{,var/}run/tor/control.authcookie w,'''

 '''  /{,var/}run/tor/control.authcookie.tmp rw,'''

 tor's default sets the cookie path as:

 '''  /var/run/tor/control_auth_cookie'''

 Which causes apparmor to trigger and deny tor from writing/reading the
 cookie file and tor fails to start. Thus I had to add to system_tor the
 lines:

   /{,var/}run/tor/control_auth_cookie w,

   /{,var/}run/tor/control_auth_cookie.tmp rw,

 ------------------------

 The other issue is with starting tor with systemd is the option
 DisableAllSwap doesn't work and gets the error:

  * [warn] You appear to lack permissions to change memory limits. Are you
 root?

  * [warn] Unable to raise RLIMIT_MEMLOCK: Operation not permitted

  * [notice] Unable to lock all current and future memory pages: Cannot
 allocate memory

  * [warn] Failed to parse/validate config: !DisableAllSwap failure. Do you
 have proper permission

 I haven't been able to resolve the cause of this. However, the option does
 work when starting tor from the command line with DisableAllSwap enabled.

 Hopefully the maintainers of tor will address and correct this for the
 next release.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26181>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list