Opened 7 months ago

Last modified 9 days ago

#25890 needs_information enhancement

add instructions for running nyx safely to the FAQ

Reported by: arma Owned by: atagar
Priority: Medium Milestone:
Component: Core Tor/Nyx Version:
Severity: Normal Keywords:
Cc: nusenu Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

On the tor-relay-debian page, we used to tell people how to configure arm/nyx safely: see item 13 on
https://web.archive.org/web/20171019233402/https://www.torproject.org/docs/tor-relay-debian
The trick is to add your user to the debian-tor group, not to sudo your nyx to run as the debian-tor user.

We seem to have dropped those instructions when we migrated to the wiki page at https://trac.torproject.org/projects/tor/wiki/TorRelayGuide

I noticed just now because I was trying to help another arm/nyx user on #tor, who was doing it the wrong way (presumably because they were following old instructions from somewhere else, like the old arm documentation).

Child Tickets

Change History (11)

comment:1 Changed 7 months ago by nusenu

thanks for reporting this, would it also satisfy you if this would be in the nyx faq?
https://nyx.torproject.org/#faq
I'd prefer if nyx.tpo would be the authoritative source for nyx documentation.

Also note that the current relay-guide is not compatible with the instructions since the instructions assume there is a ControlSocket.

old instructions:

  1. You might like to use the arm relay monitor to watch your relay's activities from the command line. First, "sudo apt install tor-arm". Second, as the user that will be running arm, run "sudo adduser $USER debian-tor" to add your user to the debian-tor group so it can reach Tor's controlsocket. Then log out and log back in (so your user is actually in the group), and run "arm".
Last edited 7 months ago by nusenu (previous) (diff)

comment:2 Changed 7 months ago by nusenu

Component: Community/RelaysCore Tor/Nyx
Owner: changed from Nusenu to atagar
Status: newassigned
Summary: relay guide lost the instructions for running nyx safelyadd instructions for running nyx safely to the FAQ
Type: defectenhancement

comment:3 Changed 7 months ago by atagar

Status: assignedneeds_information

This sounds specific to our debian-tor setup to me. That said, happy to discuss a Nyx FAQ addition if someone has a particular entry they'd care to propose.

comment:4 Changed 7 months ago by cypherpunks

The question for the FAQ would be:

"I'm a relay operator, what is the safest way to connect Nyx to my relay?"

the answer is up to you since you are the best on answering it.

comment:5 Changed 7 months ago by atagar

We already have a FAQ entry for how to connect. The ask here is to add something specifically about permissions. Seems to me this has two parts...

  • Our advice for the debian-tor setup. That should probably go in its trac section.
  • What, if anything, Nyx's FAQ should say. This advice should be applicable to everyone.

The second may take some discussion, and I'd like to see what Roger would care to propose first.

Roger and I are generally in agreement, but we have some difference of priorities. In particular Roger is concerned with security edge cases whereas I care about usability. This is fine, and no doubt we'll get on the same page. But it might require discussing DisableDebuggerAttachment and tor's CookieAuthFileGroupReadable default.

comment:6 Changed 7 months ago by arma

nusenu: right, the tor-relay-debian page did indeed assume you were using the deb.

atagar, the goal here is to provide some concrete advice for all the people who were trained by arm in the past to su to debian-tor and run arm as the debian-tor user. That was a bad idea (because it gives arm permissions to things that it doesn't need). The better idea is to add the-user-that-will-run-nyx to the debian-tor group, and then use the fact that the controlsocket is reachable by anybody in the group so authentication can happen smoothly.

To be more specific, I suggest the question would be something like "How should I connect nyx to my relay on Debian?" and the answer would be something like "as the user that will be running nyx, run "sudo adduser $USER debian-tor" to add your user to the debian-tor group so it can reach Tor's controlsocket. Then log out and log back in (so your user is actually in the group), and run nyx. This approach is safer than the one where you run nyx as the debian-tor user directly, since in that case you'd be giving nyx more access to your Tor private files than it needs."

comment:7 in reply to:  5 Changed 7 months ago by arma

Replying to atagar:

We already have a FAQ entry for how to connect.

Do the instructions there work for Debian relays? Don't they have cookie auth set up already, but they put the cookie into a place that you, the nyx user, can't reach?

But it might require discussing DisableDebuggerAttachment and tor's CookieAuthFileGroupReadable default.

Yeah, I definitely don't want to try to teach users to poorly reconstruct part of the debian config just so they can run nyx as a different user. I am thinking of the people who are already on debian, who have been thinking that recommended advice is for them to sudo to debian-tor and run nyx there.

comment:8 Changed 7 months ago by nusenu

Replying to arma:

nusenu: right, the tor-relay-debian page did indeed assume you were using the deb.

More specifically it did assume a configuration with ControlSocket enabled. The torrc in the relay-guide specifically disables ControlSocket on Debian-based systems to have a minimal attack surface (not everyone needs ControlSockets enabled so we disabled it by default on Debian based systems to restore vanilla tor defaults).

comment:9 in reply to:  5 Changed 7 months ago by nusenu

Replying to atagar:

We already have a FAQ entry for how to connect. The ask here is to add something specifically about permissions. Seems to me this has two parts...

  • Our advice for the debian-tor setup. That should probably go in its trac section.

That section is about configuring a tor relay (Nyx is optional and shouldn't be in the steps that everyone needs to perform to setup a relay).

The question is: Should the relay-guide's scope include Nyx configuration steps or is that on nyx.tpo?
I'd prefer if Nyx documentation lives on nyx.tpo because Damian knows better what future changes in Nyx require an update of the documentation.

The part that could live in the relay-guide is where I cover the requirements that Nyx has on the tor configuration (i.e. ControlSocket).

I could envision a new section in the relay guide named:

"Configuring tor for use with Nyx (optional)"

  • steps required for every currently supported platform

and located before the "Tor relay lifecycle" section.

comment:10 Changed 11 days ago by wagon

That was a bad idea (because it gives arm permissions to things that it doesn't need). The better idea is to add the-user-that-will-run-nyx to the debian-tor group, and then use the fact that the ControlSocket is reachable by anybody in the group so authentication can happen smoothly.

Despite I agree with you, I have to say that the difference is not that big. Nyx has full control over Tor's configuration. Therefore, if user used to run Nyx is compromised, Tor is completely compromised too. Nevertheless, the damage can be less, if it caused by some unintentional error in the code (i.e. not by intentional exploitation of the vulnerability).

as the user that will be running nyx, run sudo adduser $USER debian-tor to add your user to the debian-tor group so it can reach Tor's ControlSocket

I agree that there should be some recommended simple way to run nyx relatively safely for everybody. However, I have to warn you that neither su nor sudo is a safe way to elevate privileges in UNIX system. If user you use for running su/sudo is compromosed, all accounts accessible by him using su/sudo are compromised too. su/sudo is not a mechanism of security, it is a mechanism that prevents accidental damage you can make to your system (don't confuse it with intentionally malicious damage!).

What would be actually the safe and recommended way to run Nyx? It does not require changing any groups or enabling socket authentication. Instead, do the following:

  1. Create separate user for administrative tasks. Use separate console (Ctrl+Alt+Fn) or separate X window to log in under this user. Never use this user to run potentially unsafe applications such as browser.
  2. Configure your firewall in such a way, that this administrative user can only access 127.0.0.1:9051 (block all other loop back connections and all non-TCP protocols, block all connections through any other network interface). You can use this user for other administrative tasks too (it depends on your setup, but ssh to root@localhost can be the example).
  3. Run Tor as a system service that listens at 127.0.0.1:9051 as its ControlPort.
  4. Disable cookie authentication in torrc (we don't need it), but enable password authentication in torrc. If you curious about the reasons, read my explanation in another comment.
  5. Wait for atagar to add password authentication in nyxrc (#28295) or type it interactively during Nyx start up already now.

This is a general approach. Don't allow your tor-browser to use ControlPort, because in this case compromised browser would compromise your anonymity too. Circuits connections will not be seen in tor-browser, use Nyx or tor-prompt for that instead. SubgraphOS developers proposed additional proxy between tor-browser and Tor, which can filter potentially dangerous requests to ControlPort, but their approach (as relying on extra application for anonymity-critical task) is less safe than what I suggest you here: rely only on well tested UNIX kernel mechanisms---firewall, its configuration (you can filter traffic by user), and users privileges separation.

Last edited 11 days ago by wagon (previous) (diff)

comment:11 Changed 9 days ago by wagon

Disable cookie authentication in torrc (we don't need it), but enable password authentication in torrc. If you curious about the reasons, read my explanation in another comment.

UPDATE: In principle, it may be better to use SafeCookie as I explained here. If Nyx has to have access to torrc file and Tor logs (to display their content), user used to run Nyx should be added to debian-tor group. If restricted functionality (only ControlPort is accessible) is sufficient, Nyx can be launched from user who is not member of debian-tor group.

Note: See TracTickets for help on using tickets.