Changes between Version 9 and Version 10 of doc/OpenbsdChrootedTor


Ignore:
Timestamp:
Apr 23, 2010, 4:47:27 AM (10 years ago)
Author:
trac
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/OpenbsdChrootedTor

    v9 v10  
    1010[:../:up to Tor]
    1111
    12 A tutorial for setting up a Tor client on OpenBSD in a chroot.  At the end, there are instructions
    13 for running the Tor client in a chroot and using a systrace policy.
    14 These instructions describe both static and dynamic linked versions with a section to help you
    15 decide which you should use.
    16 
    17 The table of contents makes this tutorial look long but each section is short.  These are complete
    18 instructions for how to do the entire operation from downloading, building, and starting Tor.
    19 
    2012Table of Contents
    2113[[TableOfContents]]
     
    2315= Assumptions =
    2416
    25  * You are installing '''Tor 0.0.9.9'''
    26  * You are running '''OpenBSD 3.7''' or '''OpenBSD 3.7 stable'''
     17 * You are installing '''Tor 0.0.9.4'''
     18 * You are running '''OpenBSD 3.6'''
    2719 * You want to install the files to run into '''/home/chrooted/tor'''
    2820 * You do not want syslog entries from tor messages because if Tor misbehaves, you want it to affect the system as little as possible
     
    3325
    3426These instructions are based on [http://pestilenz.org/~bauerm/tor-openbsd-howto.html]
    35 with some changes.  Note that baurem's version can be used for a client or server while
    36 these instructions are (currently) only for a client.
    37 It also includes a few parts from TorInChroot.  The rest is new.
    38 
    39 If you are using the unstable branch (currently 0.1.0.9-rc) then you will want to install
    40 a newer version of libevent.  The libevent included with OpenBSD is very old and said to
    41 contain bugs/problems.
     27with some needed changes.  It also includes a few parts from TorInChroot.  The rest is new.
    4228
    4329This tutorial is setup so that the root and non-root commands are clearly
     
    5743su - root
    5844ksh
    59 mkdir -p /home/chrooted/tor/{dev,etc,usr/lib,usr/libexec,var/lib/tor,var/log/tor}
     45mkdir -p /home/chrooted/tor/{dev,etc,var/lib/tor,var/log/tor}
    6046chmod -R 0700 /home/chrooted
    6147chown -R youruser:yourgroup /home/chrooted
     
    9581yet.  You'll also need the dependencies for these files.
    9682{{{
    97 pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/3.7/packages/i386/ \
    98            {gmake-3.80p0,gnupg-1.4.1,privoxy-3.0.3p0,dante-1.1.15p0}.tgz
     83pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/ \
     84           {gmake-3.80,gnupg-1.2.2p1,privoxy-3.0.3,dante-1.1.14}.tgz
    9985}}}
    10086
     
    122108vnconfig -c -v /dev/svnd0c devfs
    123109newfs /dev/svnd0c
    124 mount -o nosuid,softdep /dev/svnd0c /home/chrooted/tor/dev
     110mount /dev/svnd0c /home/chrooted/tor/dev
    125111}}}
    126112You can later release this device with `umount /home/chrooted/tor/dev` and then
     
    158144
    159145{{{
    160 wget http://tor.eff.org/dist/tor-0.0.9.9.tar.gz{.asc,}
     146wget http://tor.eff.org/dist/tor-0.0.9.4.tar.gz{.asc,}
    161147}}}
    162148
     
    164150
    165151{{{
    166 gpg --verify tor-0.0.9.9.tar.gz{.asc,}
     152gpg --verify tor-0.0.9.4.tar.gz{.asc,}
    167153}}}
    168154
     
    179165is setup properly.
    180166{{{
    181 gpg --keyserver subkeys.pgp.net --search-keys 0x28988BF5
     167gpg --keyserver pgp.mit.edu --search-keys 0x28988BF5
    182168}}}
    183169
     
    187173Good signature from ...
    188174{{{
    189 gpg --verify tor-0.0.9.9.tar.gz{.asc,}
     175gpg --verify tor-0.0.9.4.tar.gz{.asc,}
    190176}}}
    191177
    192178== Compiling and installing Tor ==
    193179
    194 === Option 1: Build the static linked executable ===
     180=== Build the executable ===
    195181
    196182Tell configure that you will install it in /.  You will actually install the
     
    201187to the chrooted area.
    202188{{{
    203 tar -zxvf tor-0.0.9.9.tar.gz
    204 cd tor-0.0.9.5
     189tar -zxvf tor-0.0.9.4.tar.gz
     190cd tor-0.0.9.4
    205191env CFLAGS=-static ./configure --prefix=/
    206 }}}
    207 
    208 === Option 2: Build the dynamically linked executable ===
    209 
    210 You can do the normal dynamic linking if you desire.  In this case, you have to
    211 copy over more system files to the chrooted area.
    212 
    213 However, it would make more sense to use this approach if you have lots of
    214 different programs in the directory `/home/chrooted/$PROGNAME`.  When you
    215 update the libraries for a bug fix, you could just copy in the new libraries
    216 instead of rebuilding all of the executables.
    217 
    218 With static linking, you would have to rebuild each executable in order for
    219 library changes to happen.
    220 
    221 {{{
    222 tar -zxvf tor-0.0.9.9.tar.gz
    223 cd tor-0.0.9.9
    224 ./configure --prefix=/
    225 }}}
    226 
    227 You will need to build the tor executable (this will '''not''' install it
    228 anywhere) so you can find out which libraries you need to move.
    229 {{{
    230 gmake
    231 ldd src/or/tor
    232 }}}
    233 
    234 ==== Find the system libraries ====
    235 
    236 The ldd output will look like this:
    237 {{{
    238 src/or/tor:
    239 tor:
    240         Start    End      Type Ref Name
    241         00000000 00000000 exe   1  src/or/tor
    242         0a5d6000 2a5de000 rlib  1  /usr/lib/libz.so.4.0
    243         0d51e000 2d529000 rlib  1  /usr/lib/libssl.so.9.0
    244         02fcc000 22ffc000 rlib  1  /usr/lib/libcrypto.so.11.0
    245         0216b000 221a2000 rlib  1  /usr/lib/libc.so.34.2
    246         0ed2c000 0ed2c000 rtld  1  /usr/libexec/ld.so
    247 }}}
    248 
    249 This tells you that tor uses libz, libssl, libcrypto, and libc all of which
    250 you will need to copy to the chrooted area.  You also need to copy ld.so.
    251 
    252 ==== Copy the system libraries to chrooted area ====
    253 
    254 Remember this has to be available to tor when you chroot into the
    255 directory `/home/chrooted/tor` so we will need to copy these shared libraries
    256 into `/home/chrooted/tor/usr/lib/`.
    257 
    258 {{{
    259 cp /usr/lib/lib{z,ssl,crypto,c}.so.* /home/chrooted/tor/usr/lib/
    260 cp /usr/libexec/ld.so /home/chrooted/tor/usr/libexec
    261192}}}
    262193
     
    322253}}}
    323254
    324 You'll also need to make another change so that it doesn't use the user's
    325 home directory for the private data.  Uncomment this line in the config `tor/torrc`
    326 so that it looks like this:
    327 {{{
    328 DataDirectory //var/lib/tor
    329 }}}
    330 
    331255== Copy other network files ==
    332256
     
    361285}}}
    362286
    363 Only do this step if you are using the dynamically linked executable:
    364 {{{
    365 chmod -R 0755 /home/chrooted/tor/usr
    366 chmod 0444 /home/chrooted/tor/usr/lib/*
    367 chmod 0555 /home/chrooted/tor/usr/libexec/*
    368 }}}
    369 
    370287Don't allow anyone but root into "/home/chrooted"
    371288{{{
     
    396313
    397314If you get permission denied, make sure that the entire search path is
    398 readable by the user from `/home/chrooted/tor` up to the filename.
    399 
    400 If you are using the dynamic linked version and it returns with the
    401 message `Abort` it most likely means the libraries are not readable by
    402 tor.  Check directory and file permissions from `/home/chrooted/tor` down
    403 to the specific library or ld.so.
     315readable by the user from /home/chrooted/tor up to the filename.
    404316
    405317== Configure Privoxy ==
     
    414326}}}
    415327
    416 Unfortunately, privoxy has a default logging scheme that logs '''all'''
    417 URLs you visit.  Such a debugging flag should be turned off for tor.
    418 Thanks arma for pointing this out.
    419 
    420 In the section about debug, comment out this line so it looks like this:
    421 {{{
    422 #debug   1  # Do NOT show each GET/POST/CONNECT request.
    423 }}}
    424 
    425 You may also want to comment out the section that keeps a cache of all
    426 the cookies.
    427 {{{
    428 # jarfile jarfile  # Don't store cookies locally
    429 }}}
    430 
    431 === Optional: Edit your privoxy config again ===
    432 
    433 As you will note, your user agent is not changed.  Here is a quick and easy way
    434 to tell privoxy to munge some of your headers.
    435 
    436 Note: This makes all requests look like they came from the default install of lynx
    437 in OpenBSD.
    438 
    439 {{{
    440 cat <<EOF>> /etc/privoxy/user.action
    441 { +hide-referrer{block} +hide-forwarded-for-headers +hide-user-agent{Lynx/2.8.5rel.2 libwww-FM/2.14 SSL-MM/1.4.1 OpenSSL/0.9.7d} }
    442 /
    443 EOF
    444 }}}
    445 
    446 The items enclosed in `{ ... }` define an action and the second line defines
    447 where it applies.  A "/" means for all sites.
    448 
    449328== Start Privoxy ==
    450329
     
    453332/usr/local/sbin/privoxy
    454333}}}
     334
    455335
    456336== Configure Lynx or other web browser ==
     
    498378I am not using it.  Dante's client just sends requests to Tor.
    499379
    500 == Optional: Use socat instead of dante ==
    501 
    502 I now use socat instead of dante for most things.  Socat is much nicer because
    503 you don't have to rely on the application logic to correctly connect to a server.
    504 
    505 For instance, irssi will sometimes reconnect to an IRC server directly instead
    506 of using the proxy settings with dante.  However, if you use socat, the choice
    507 is not up to irssi to make.
    508 
    509 See the [:TheOnionRouter/TorifyHOWTO#socat: Torify Socat] for more information on
    510 how to compile and use socat on OpenBSD.
    511 
    512 == Optional: Force clients to use Tor ==
    513 
    514 You can force clients to use Tor by removing their ability to normally contact
    515 services.  For instance, irssi may reconnect without using socks.  So let's
    516 setup PF to block such access in {{{/etc/pf.conf}}}:
    517 
    518 {{{
    519 # Change for your device mentioned in the rest of your firewall rules.
    520 int_if = xl0
    521 
    522 block in log quick on $int_if proto { tcp, udp } from any port { irc, 6667 } to any
    523 block out log quick on $int_if proto { tcp, udp } from any to any port { irc, 6667 }
    524 }}}
    525 
    526 Now irssi will not be able to reconnect to any IRC server without using a proxy
    527 such as Tor.  Note that the above is only a portion of the {{{/etc/pf.conf}}} file
    528 and you should definitely have other non-Tor related rules.  Also irc is technically
    529 assigend to port 194 but most servers listen on 6667.
     380=== Optional: Edit your privoxy config again ===
     381
     382As you will note, your user agent is not changed.  Here is a quick and easy way
     383to tell privoxy to munge some of your headers.
     384
     385{{{
     386cat <<EOF>> /etc/privoxy/user.action
     387{ +hide-referrer{block} +hide-forwarded-for-headers +hide-user-agent{Faked} }
     388/
     389EOF
     390}}}
     391
     392The items enclosed in `{ ... }` define an action and the second line defines
     393where it applies.  A "/" means for all sites.
    530394
    531395== Edit /etc/rc.local to start both at boot ==
     
    533397If it works, add startup code to /etc/rc.local.  Tor should start first
    534398because privoxy will forward to it:
    535 
    536 NOTE: Privoxy does not accept `_privoxy:_privoxy` and it requires
    537 `_privoxy._privoxy`
    538 {{{
    539 
    540 if [ -f /home/chrooted/tor/devfs -a -b /dev/svnd0c ]; then
    541      echo -n 'tordevfs: ';
    542      /usr/sbin/vnconfig -c -v /dev/svnd0c /home/chrooted/tor/devfs
    543      /sbin/mount -o softdep /dev/svnd0c /home/chrooted/tor/dev
    544 fi
    545 
     399{{{
    546400if [ -x /home/chrooted/tor/bin/tor ]; then
    547401     echo -n 'tor: ';
    548      /usr/sbin/chroot -u _tor -g _tor /home/chrooted/tor /bin/tor -f /etc/tor/torrc
     402     chroot -u _tor -g _tor /home/chrooted/tor /bin/tor -f /etc/tor/torrc
    549403fi
    550404
     
    555409}}}
    556410
    557 == Using an unchrooted systrace with the chrooted Tor client ==
    558 
    559 === Generating a policy ===
    560 
    561 Here are example policies for a Tor client.  Note: You will have to change
    562 the uid (1001) if that does not match your system.
    563 
    564 First, here is how I got the base configuration:
    565 {{{
    566 su - root
    567 ksh
    568 systrace -a -t chroot -u _tor -g _tor /home/chrooted/tor /bin/tor -f /etc/tor/torrc
    569 }}}
    570 
    571 Then after using Tor for a while (including with privoxy), I shut down Tor:
    572 
    573 {{{
    574 ps awwux | grep _tor
    575 kill # whatever pid
    576 }}}
    577 
    578 Now you will have systrace policy files in `/root/.systrace` under the names
    579 `/root/.systrace/bin_tor` and `/root/systrace/usr_sbin_chroot`.
    580 
    581 You will only have to modify the uid in `/root/systrace/usr_sbin_chroot` and the
    582 rest can stay the same.
    583 
    584 For `/root/.systrace/bin_tor`, you will want to make the configuration more general.
    585 For instance, the generated file will have an entry with connecting to a specific IP:port
    586 but you want to make it a wildcard match *:port.  Otherwise, you would have to hardcode
    587 every value in.
    588 
    589 === Example policies ===
    590 
    591 Here are my example policies.  These work fine for me using Tor as a client with requests
    592 to IRC and websites.
    593 
    594 `/root/.systrace/bin_tor` contains:
    595 {{{
    596 Policy: /bin/tor, Emulation: native
    597         native-__sysctl: permit
    598         native-break: permit
    599 # Memory
    600         native-mmap: permit
    601         native-mprotect: permit
    602         native-mquery: permit
    603         native-munmap: permit
    604 # Files
    605         native-chdir: filename eq "/var/lib/tor" then permit
    606         native-close: permit
    607         native-dup2: permit
    608         native-fcntl: permit
    609         native-fstat: permit
    610         native-getdirentries: permit
    611         native-ioctl: permit
    612         native-lseek: permit
    613         native-pread: permit
    614         native-read: permit
    615         native-write: permit
    616 # File reads
    617         native-fsread: filename match "/<non-existent filename>: *" then deny
    618         native-fsread: filename eq "/dev/crypto" then permit
    619         native-fsread: filename eq "/dev/null" then permit
    620         native-fsread: filename eq "/dev/srandom" then permit
    621         native-fsread: filename eq "/etc/group" then permit
    622         native-fsread: filename eq "/etc/pwd.db" then permit
    623         native-fsread: filename eq "/etc/spwd.db" then permit
    624         native-fsread: filename eq "/etc/tor/torrc" then permit
    625         native-fsread: filename eq "/etc/malloc.conf" then permit
    626         native-fsread: filename eq "/etc/localtime" then permit
    627         native-fsread: filename eq "/usr/lib" then permit
    628         native-fsread: filename match "/usr/lib/libc.so*" then permit
    629         native-fsread: filename match "/usr/lib/libcrypto.so*" then permit
    630         native-fsread: filename match "/usr/lib/libssl.so*" then permit
    631         native-fsread: filename match "/usr/lib/libz.so*" then permit
    632         native-fsread: filename eq "/usr/share/nls/C/libc.cat" then permit
    633         native-fsread: filename match "/usr/share/zoneinfo/*" then permit
    634         native-fsread: filename eq "/var/lib/tor" then permit
    635         native-fsread: filename match "/var/lib/tor/*" then permit
    636         native-fsread: filename eq "/var/log/tor" then permit
    637         native-fsread: filename match "/var/log/tor/*" then permit
    638 # Time 
    639         native-gettimeofday: permit
    640 # User ID and group ID.  Change these as needed.
    641         native-getuid: permit
    642         native-setgid: gid eq "1001" then permit
    643         native-setuid: uid eq "1001" and uname eq "_tor" then permit
    644 # Resource limits
    645         native-getrlimit: permit
    646         native-setrlimit: permit
    647 # Process
    648         native-exit: permit
    649         native-fork: permit
    650         native-pipe: permit
    651 # Permission bits
    652         native-getpid: permit
    653         native-geteuid: permit
    654         native-issetugid: permit
    655         native-setsid: permit
    656 # Signals
    657         native-sigaction: permit
    658         native-sigprocmask: permit
    659         native-sigreturn: permit
    660 # File writes
    661         native-fswrite: filename match "/<non-existent filename>: *" then deny
    662         native-fswrite: filename eq "/dev/crypto" then permit
    663         native-fswrite: filename eq "/dev/null" then permit
    664         native-fswrite: filename match "/var/log/tor/*" then permit
    665         native-fswrite: filename match "/var/lib/tor/*" then permit
    666         native-rename: filename match "/var/lib/tor/cached-directory*" and filename[1] match "/var/lib/tor/cached-directory*" then permit
    667 # Networking
    668         native-bind: sockaddr eq "inet-[127.0.0.1]:9050" then permit
    669         native-socket: sockdom eq "AF_INET" and socktype eq "SOCK_STREAM" then permit
    670         native-socket: sockdom eq "AF_UNIX" and socktype eq "SOCK_DGRAM" then permit
    671         native-setsockopt: permit
    672         native-listen: permit
    673         native-poll: permit
    674         native-getsockopt: permit
    675         native-accept: permit
    676         native-recvfrom: permit
    677         native-sendto: true then permit
    678 # Without socketpair, you cannot access Tor hidden services.
    679         native-socketpair: permit
    680 # List of ports to connect to.  These are needed for the server list and potentially
    681 # using a tor server.
    682         native-connect: sockaddr match "inet-*:80" then permit
    683         native-connect: sockaddr match "inet-*:443" then permit
    684 # Typically, tor servers are in the range of 8,000 - 10,000.  This below lets tor
    685 # connect to any unpriv port.
    686 # Match ports 1024 through 1999
    687         native-connect: sockaddr re "inet-.*:102[4-9]$" then permit
    688         native-connect: sockaddr re "inet-.*:10[3-9][0-9]$" then permit
    689         native-connect: sockaddr re "inet-.*:1[1-9][0-9]{2}$" then permit
    690 # Match 2000 - 9999
    691         native-connect: sockaddr re "inet-.*:[2-9][0-9]{3}$" then permit
    692 # Match ports 10000 - 65535
    693         native-connect: sockaddr re "inet-.*:[1-9][0-9]{4}$" then permit
    694 
    695 }}}
    696 
    697 `/root/.systrace/usr_sbin_chroot` contains:
    698 {{{
    699 Policy: /usr/sbin/chroot, Emulation: native
    700         native-__sysctl: permit
    701         native-fsread: filename eq "/etc/malloc.conf" then permit
    702         native-issetugid: permit
    703         native-mmap: permit
    704         native-break: permit
    705         native-mprotect: permit
    706         native-fsread: filename eq "/etc/spwd.db" then permit
    707         native-fcntl: permit
    708         native-fstat: permit
    709         native-read: permit
    710         native-pread: permit
    711         native-close: permit
    712         native-fsread: filename eq "/etc/group" then permit
    713         native-setgid: gid eq "1001" then permit
    714         native-setgroups: permit
    715         native-chroot: filename eq "/home/chrooted/tor" then permit
    716         native-chdir: filename eq "/" then permit
    717         native-getsid: permit
    718         native-getpid: permit
    719         native-setsid: permit
    720         native-setuid: uid eq "1001" and uname eq "_tor" then permit
    721         native-execve: filename eq "/bin/tor" and argv eq "/bin/tor -f /etc/tor/torrc" then permit
    722 }}}
    723 
    724 === Executing with the policy ===
    725 
    726 Since these policies are specific to the chrooted tor, you could put them into
    727 `/home/chrooted/policies` and then execute systrace with `-d`.
    728 That way your root user does not have these chroot specific policies for it:
    729 
    730 Note: I use `/home/chrooted/tor/etc/tor/systrace` instead of `/home/chrooted/tor/etc/systrace` which
    731 would mirror the system version.  I did this because the Tor version will be readable by `_tor` where as
    732 the system version is not.
    733 
    734 {{{
    735 su - root
    736 ksh
    737 
    738 # Copy the files over
    739 mkdir -p /home/chrooted/tor/etc/tor/systrace/
    740 chmod 0755 /home/chrooted/tor/etc/tor/systrace/
    741 cp /root/.systrace/{bin_tor,usr_sbin_chroot} /home/chrooted/tor/etc/tor/systrace/
    742 
    743 # Allow _tor to read it since systrace will be running as that user.
    744 chmod 0444 /home/chrooted/tor/etc/tor/systrace/*
    745 }}}
    746 
    747 Now you can execute systrace like this:
    748 {{{
    749 /bin/systrace -a -d /home/chrooted/tor/etc/tor/systrace /usr/sbin/chroot -u _tor -g _tor /home/chrooted/tor /bin/tor -f /etc/tor/torrc
    750 }}}
    751 
    752 And `systrace` will watch system calls that both `/usr/sbin/chroot` and `/home/chrooted/tor/bin/tor` make.
    753 
    754 You will want to replace the above section for `/etc/rc.local` with this new one:
    755 
    756 {{{
    757 if [ -x /home/chrooted/tor/bin/tor -a -f /home/chrooted/tor/etc/tor/systrace/bin_tor -a -f /home/chrooted/tor/etc/tor/systrace/usr_sbin_chroot ]; then
    758      echo -n 'tor: ';
    759      /bin/systrace -a -d /home/chrooted/tor/etc/tor/systrace /usr/sbin/chroot -u _tor -g _tor /home/chrooted/tor /bin/tor -f /etc/tor/torrc
    760 else
    761      echo 'Incorrect setup for Tor!';
    762 fi
    763 }}}
    764 
    765 == XXX Work in Progress -- Using a chrooted systrace with a chrooted Tor client ==
    766 
    767 The above systrace version works.  This version below does '''NOT''' work yet.
    768 Systrace complains about /dev/null not existing and Tor shuts down because of it.
    769 
    770 Someone who has time to debug this, please do.
    771 
    772 A big disadvantage to the above command is that `systrace` must run as root in order for the chroot command to work.
    773 
    774 A better way would be to do the following:
    775 
    776  * chroot to /home/chrooted/tor
    777  * call systrace on Tor
    778 
    779 That way systrace will be running as `_tor:_tor` instead of `root:wheel`.
    780 
    781 It also allows you to run `systrace` as `_tor:_tor` even while creating the policy file.  For that, you will have to use -d so
    782 that systrace writes the files into the correct spot.
    783 
    784 === Chrooting systrace ===
    785 
    786 Systrace is statically linked so it's just a simple matter of copying it to the right location along
    787 with its device and config file:
    788 
    789 {{{
    790 su - root
    791 ksh
    792 
    793 # Copy the executable
    794 cp /bin/systrace /home/chrooted/tor/bin/
    795 
    796 # Create the device
    797 cd /home/chrooted/tor/dev
    798 sh /dev/MAKEDEV systrace
    799 }}}
    800 
    801 === Executing the chrooted systrace with chrooted Tor ===
    802 
    803 The only thing left is to tell `systrace` where the policy files are relative to the chroot.
    804 
    805 {{{
    806 if [ -x /home/chrooted/tor/bin/tor -a -f /home/chrooted/tor/etc/tor/systrace/bin_tor -a -f /home/chrooted/tor/etc/tor/systrace/usr_sbin_chroot ]; then
    807      echo -n 'tor: ';
    808      /usr/sbin/chroot -u _tor -g _tor /home/chrooted/tor /bin/systrace -a -d /etc/tor/systrace /bin/tor -f /etc/tor/torrc
    809 else
    810      echo 'Incorrect setup for Tor!';
    811 fi
    812 }}}
    813 
    814 
    815411-- tyranix is at gmail