Opened 2 years ago

Closed 15 months ago

#19824 closed defect (not a bug)

/var/run/tor/control socket not created because of /var/run/tor permission issue

Reported by: adrelanos Owned by:
Priority: Medium Milestone: Tor: 0.3.1.x-final
Component: Core Tor/Tor Version: Tor: 0.2.8.6
Severity: Normal Keywords:
Cc: weasel Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Using Tor 0.2.8.6 from deb.torproject.org, /var/run/tor/control is no longer created because of a permission issue. As a manual workaround, sudo chmod --recursive 700 /var/run/tor works.

The symptom in Tor's log is the following:

Aug 03 17:36:33.000 [warn] Permissions on directory /var/run/tor are too permissive.

Rather than 755 Tor's /lib/systemd/system/tor@default.service should use 700. I.e. rather than using:

ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor

/lib/systemd/system/tor@default.service should use:

ExecStartPre=/usr/bin/install -Z -m 02700 -o debian-tor -g debian-tor -d /var/run/tor

Child Tickets

Change History (9)

comment:1 Changed 2 years ago by weasel

What does your torrc look like? I suspect you are using a non-standard configuration for your control socket.

comment:2 Changed 2 years ago by adrelanos

I emptied my torrc for testing purposes, restarted tor, still getting this. (Didn't happen with earlier Tor versions.) Still trying to figure what makes the difference on my system.

Aug 03 21:56:34.000 [warn] Permissions on directory /var/run/tor are too permissive.
Aug 03 21:56:34.000 [warn] Before Tor can create a control socket in "/var/run/tor/control", the directory "/var/run/tor" needs to exist, and to be accessible only by the user and group account that is running Tor.  (On some Unix systems, anybody who can list a socket can connect to it, so Tor is being careful.)

In tor.postinst you are using chmod 02750 /var/run/tor but for systemd you are using 02755. Is that supposed to be like that?

comment:3 Changed 2 years ago by weasel

That is indeed a bug. It should be 02755 everywhere.

The tor from the package should accept that since we say

ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck

comment:4 Changed 2 years ago by weasel

So, is your torrc entirely empty?

comment:5 Changed 2 years ago by nickm

Milestone: Tor: 0.2.8.x-final
Status: newneeds_information

comment:6 Changed 19 months ago by nickm

Milestone: Tor: 0.2.8.x-finalTor: 0.3.1.x-final

comment:7 Changed 17 months ago by nickm

Resolution: user disappeared
Status: needs_informationclosed

comment:8 in reply to:  4 Changed 15 months ago by adrelanos

Resolution: user disappeared
Status: closedreopened

Sorry, I missed the notification for this issue.

Replying to weasel:

So, is your torrc entirely empty?

Yes.

Well, weasel confirmed the bug, isn't this actionable?

Replying to weasel:

That is indeed a bug. It should be 02755 everywhere.

The tor from the package should accept that since we say

ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck

comment:9 Changed 15 months ago by catalyst

Resolution: not a bug
Status: reopenedclosed

Not a bug for the reasons weasel explained: the provided torrc allows the relaxed directory permissions.

The /var/run/tor permissions problem seems like a Debian packaging issue rather than Core Tor itself, but I guess we're kind of the upstream for that packaging? (https://gitweb.torproject.org/debian/tor.git/)

In that case it looks like the inconsistent chmod 02750 /var/run/tor is already removed in https://gitweb.torproject.org/debian/tor.git/commit/debian/tor.postinst?id=a55886272fff17109007c7240c2680bdfcb42877

Note: See TracTickets for help on using tickets.