Opened 2 years ago

Last modified 6 weeks ago

#22331 new defect

Tor needs to stop trying to read directories before it changes users

Reported by: arma Owned by:
Priority: High Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor:
Severity: Normal Keywords: 032-unreached, apparmor usability 042-proposed
Cc: intrigeri, dgoulet Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


If you use apparmor along with the Tor deb, like pretty much all Ubuntu users, and you want to configure a hidden service, you are in for some misery. For example, let's say your put your hidserv directory in /var/lib/tor/, which would make sense because then Tor will create the directory when it starts, take care of its permissions, etc.

The trouble is that the apparmor rules only let the debian-tor user read stuff in /var/lib/tor. They prevent root from trying to read stuff there (because why should it). But when Tor starts, especially Tor 0.3.0.x, it tries to check all the hidden service directories, as root, before it drops privileges. When apparmor refuses the directory read attempts, Tor flips out and says the config is bad:

We should audit all of these cases where we try to interact with files and directories before we've dropped privileges, and get rid of the ones we don't need.

(This one is a little bit tricky, because the way we've set up options_validate() vs options_act(), we'd like to be able to detect if a configuration change is going to fail *before* we commit to it. But I think cleaning up our behavior here is worth having things fail later because of directory problems if they're going to. After all, this way people will be able to use tight and simple apparmor profiles to enforce good behavior inside Tor.)

Child Tickets

Change History (10)

comment:1 Changed 2 years ago by arma

Cc: intrigeri added

comment:2 Changed 2 years ago by arma

(weasel points out, I think correctly, that putting your hidserv directory in /var/lib/tor/ is the only reasonable choice, because all the other options are worse.)

comment:3 Changed 2 years ago by arma

Cc: dgoulet added

intrigeri points also to (so I cc dgoulet)

comment:4 Changed 2 years ago by arma

Btw we have approximately one Ubuntu user per day on irc who runs into this bug and fails to be able to use onion services on Ubuntu, even using our deb.

It is a real usability issue.

comment:5 Changed 2 years ago by cypherpunks

Duplicate: #22991

comment:6 Changed 22 months ago by nickm

Keywords: 032-unreached added
Milestone: Tor: 0.3.2.x-finalTor: unspecified

Mark a large number of tickets that I do not think we will do for 0.3.2.

comment:7 Changed 10 months ago by traumschule

Keywords: apparmor added

group tickets related to AppArmorForTBB/tor packages

comment:8 Changed 8 months ago by arma

#26910 is a very related ticket.

comment:9 Changed 6 weeks ago by arma

This ticket remains a major usability issue for people running onion services.

When I do talks at conferences, people talk to me about this issue.

comment:10 Changed 6 weeks ago by nickm

Keywords: usability 042-proposed added
Priority: MediumHigh
Note: See TracTickets for help on using tickets.