Opened 7 years ago

Closed 5 years ago

#7989 closed defect (fixed)

revise OS X relay instructions

Reported by: phobos Owned by:
Priority: Medium Milestone:
Component: Webpages/Website Version:
Severity: Keywords:
Cc: mo Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We don't offer the vidalia bundle for OSX any more, therefore the https://www.torproject.org/docs/tor-doc-relay.html.en are wrong for Macs. Best options appear to be TBB open all the time, or homebrew recipes like https://github.com/mtigas/homebrew-tor

Child Tickets

Attachments (1)

org.torproject.tor.plist (1.6 KB) - added by teor 5 years ago.
Annotated LaunchDaemon plist file for tor

Download all attachments as: .zip

Change History (11)

comment:1 Changed 7 years ago by mo

Cc: mo added

comment:2 Changed 7 years ago by mo

For "just Tor", pointing at Homebrew should be good enough, right? It does bring the latest stable:
https://github.com/mxcl/homebrew/blob/master/Library/Formula/tor.rb

The recipes look easy enough for one of us to handle "maintaining" at least the stable version there, maybe even the alpha?

I guess we should still encourage people to verify the signature. I am not sure how homebrew works and where it keeps the downloaded source.

comment:3 Changed 7 years ago by mo

Status: newneeds_review

I have committed a first version of the new instructions for Homebrew (rev 26005). I don't own a Mac, so there are some sections I am unsure about (verification, uninstall, configuration location, sample config), but they should definitely be an improvement over the old useless instructions.

Can someone fill me in on how to configure Tor to run as daemon?

The document also states that at least 20kb/s are a good contribution as a relay. I don't think that's good advice nowadays.

comment:4 in reply to:  3 Changed 7 years ago by arfarf

Replying to mo:

I have committed a first version of the new instructions for Homebrew (rev 26005). I don't own a Mac, so there are some sections I am unsure about (verification, uninstall, configuration location, sample config), but they should definitely be an improvement over the old useless instructions.

Can someone fill me in on how to configure Tor to run as daemon?

The document also states that at least 20kb/s are a good contribution as a relay. I don't think that's good advice nowadays.

I have a Mac with Homebrew. Where can I see the new writeup?

comment:5 Changed 7 years ago by mo

Hi arfarf! The new/current writeup is live at https://www.torproject.org/docs/tor-doc-osx.html.en .

comment:6 Changed 7 years ago by arfarf

I have a few concerns with steps 1 and 2, and usage of Homebrew in general.

Step 1:

ruby -e "$(curl -fsSkL raw.github.com/mxcl/homebrew/go)"

This will insecurely (-k = no certificate checks) load code from Homebrew and send it to the ruby interpreter. This is how Homebrew advertises their install method, but it isn't secure in the slightest. I'm not aware any reasonably secure way to bootstap Homebrew, as it wasn't designed with security in mind.

brew install tor

The only verification done here will be a check of the MD5 checksum provided by brew. I suppose it may be possible to download the Tor tarball, confirm the signature with GPG, and move the tarball to the /Library/Caches directory before running the install command; however any minor mistakes in the process would just cause brew to download the source.

A better solution may be packaging and signing a standalone Tor relay build, so that concerned end-users can verify GPG signatures.

comment:7 Changed 7 years ago by arfarf

If users are willing to put up with the inherently insecure nature of Homebrew, the following command can be run in Terminal to start Tor when the user logs in:

ln -sfv /usr/local/opt/tor/*.plist ~/Library/LaunchAgents
launchctl load ~/Library/LaunchAgents/homebrew.mxcl.tor.plist

The user will then need to create a torrc in /usr/local/etc/tor. Homebrew installs /usr/local/etc/tor/torrc.sample which can be modified.

Starting Tor as a system daemon is more complicated. A user will have to do something similar to the following.

  1. Create /Library/LaunchDaemons/org.torproject.tor.plist with the following contents:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>org.torproject.tor</string>
    <key>ProgramArguments</key>
    <array>
        <string>/usr/local/bin/tor</string>
        <string>-f</string>
        <string>/usr/local/etc/tor/torrc</string>
    </array>
    <key>KeepAlive</key>
    <true/>
</dict>
</plist>
  1. Create a user for the Tor daemon
  2. Create a data directory for the Tor daemon. /var/db/tor would be a good choice. The permissions will have to be changed in this directory to allow access for the user created in 2.
  3. Modify /usr/local/etc/tor/torrc to include this valid DataDirectory and User.

comment:8 Changed 5 years ago by teor

Should we merge this with https://trac.torproject.org/projects/tor/wiki/doc/MacRunOnBoot ?
(Or, perhaps, remove MacRunOnBoot entirely when this is finished?)

I've attached an example, annotated org.torproject.tor.plist which has the following functionality:

  • Log stdout and stderr
  • Wait for network before running tor
  • Play nice with other apps (CPU, I/O)
  • Open greater than the default 512/1024 file/connection limit

Changed 5 years ago by teor

Attachment: org.torproject.tor.plist added

Annotated LaunchDaemon plist file for tor

comment:9 Changed 5 years ago by Sebastian

Removing MacRunOnBoot sounds fine. I'm updating the instructions to use macports, which actually signs its releases.

comment:10 Changed 5 years ago by Sebastian

Resolution: fixed
Status: needs_reviewclosed

updated description to use macports

Note: See TracTickets for help on using tickets.