[tor-onions] domain socket as HiddenServicePort target -- permissions!?

Ivan Markin twim at riseup.net
Wed Jun 15 19:32:21 UTC 2016


Hi Johannes,

Johannes:
> I'd like to use a unix domain socket as HiddenServicePort target so I
> can remove networking capabilities from my hidden service's server
> process. Tor does not connect to my socket, though. Tor's debug level
> logging does not show any (comprehensible) errors. This is very
> frustrating to debug!
> 
> Because of the documentation of unix domain sockets in *other* parts of
> Tor, like ControlPort, SocksPort et. al., I suspect it is about
> permissions.
> 
> How *exactly* are the requirements of ownership and permissions of the
> socket and its directory and why? This is totally under-documented!

A unix socket should be readable and writeable for the user under which
you're running tor ("tor", "_tor" etc). As well as for the server (nginx
or whatever). So you need some combination that provides 'rw-' access
for all relevant users ("nginx"/"www", "tor"/"_tor"...). E.g. this can
be accomplished by adding these users to some "onionservice" group or
whichever you like.

P.S. You can test connectivity with `curl` by running something like this:
$ curl --unix-socket /path/to/socket http:///

--
Sweet onions,
Ivan Markin


More information about the tor-onions mailing list