Opened 3 years ago

Last modified 4 months ago

#22331 new defect

Tor needs to stop trying to read directories before it changes users

Reported by: arma Owned by:
Priority: High Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor:
Severity: Normal Keywords: 032-unreached, apparmor usability 042-proposed 044-can 043-backport??
Cc: intrigeri, dgoulet, asn Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


If you use apparmor along with the Tor deb, like pretty much all Ubuntu users, and you want to configure a hidden service, you are in for some misery. For example, let's say your put your hidserv directory in /var/lib/tor/, which would make sense because then Tor will create the directory when it starts, take care of its permissions, etc.

The trouble is that the apparmor rules only let the debian-tor user read stuff in /var/lib/tor. They prevent root from trying to read stuff there (because why should it). But when Tor starts, especially Tor 0.3.0.x, it tries to check all the hidden service directories, as root, before it drops privileges. When apparmor refuses the directory read attempts, Tor flips out and says the config is bad:

We should audit all of these cases where we try to interact with files and directories before we've dropped privileges, and get rid of the ones we don't need.

(This one is a little bit tricky, because the way we've set up options_validate() vs options_act(), we'd like to be able to detect if a configuration change is going to fail *before* we commit to it. But I think cleaning up our behavior here is worth having things fail later because of directory problems if they're going to. After all, this way people will be able to use tight and simple apparmor profiles to enforce good behavior inside Tor.)

Child Tickets

Change History (15)

comment:1 Changed 3 years ago by arma

Cc: intrigeri added

comment:2 Changed 3 years ago by arma

(weasel points out, I think correctly, that putting your hidserv directory in /var/lib/tor/ is the only reasonable choice, because all the other options are worse.)

comment:3 Changed 3 years ago by arma

Cc: dgoulet added

intrigeri points also to (so I cc dgoulet)

comment:4 Changed 3 years ago by arma

Btw we have approximately one Ubuntu user per day on irc who runs into this bug and fails to be able to use onion services on Ubuntu, even using our deb.

It is a real usability issue.

comment:5 Changed 3 years ago by cypherpunks

Duplicate: #22991

comment:6 Changed 3 years ago by nickm

Keywords: 032-unreached added
Milestone: Tor: 0.3.2.x-finalTor: unspecified

Mark a large number of tickets that I do not think we will do for 0.3.2.

comment:7 Changed 2 years ago by traumschule

Keywords: apparmor added

group tickets related to AppArmorForTBB/tor packages

comment:8 Changed 2 years ago by arma

#26910 is a very related ticket.

comment:9 Changed 17 months ago by arma

This ticket remains a major usability issue for people running onion services.

When I do talks at conferences, people talk to me about this issue.

comment:10 Changed 17 months ago by nickm

Keywords: usability 042-proposed added
Priority: MediumHigh

comment:11 Changed 9 months ago by arma

This issue continues to be important. I don't know how people who use the Tor deb set up onion services. Maybe most of them give up?

comment:12 Changed 9 months ago by nickm

Cc: asn added
Keywords: 044-should 043-backport?? added
Milestone: Tor: unspecifiedTor: 0.4.4.x-final

comment:13 Changed 9 months ago by intrigeri


I'd like to help. I can't promise low latency.

I'll need more info:

  • Which exact version of the "tor" Debian package are the affected folks running?
  • On which version of Debian or Ubuntu?

I'm asking because at first glance, it seems that no recent version of said package in Debian is affected. In particular, the first version of Debian that enabled AppArmor by default (Buster) is not affected AFAIK.

And in passing, the "tor" Debian package ships its own, non-upstream, AppArmor profiles, so I'm not sure "Milestone: Tor: 0.4.4.x-final" correctly reflects who should do the work and where it shall happen.

comment:14 Changed 5 months ago by nickm

Keywords: 044-can added; 044-should removed

comment:15 Changed 4 months ago by nickm

Milestone: Tor: 0.4.4.x-finalTor: unspecified
Note: See TracTickets for help on using tickets.