wiki:doc/OpenbsdChrootedTor

Version 22 (modified by trac, 10 years ago) (diff)

--

##language:en #pragma section-numbers on ## ##Above pragma from the FAQ ## Copyright (c) 2005 tyranix ## <add your name here if you claim copyright on parts> ## Distributed under the MIT license, ## See ./LegalStuff for a full text ## [:../:up to Tor]

Table of Contents TableOfContents?

Assumptions

  • You are installing Tor 0.0.9.4
  • You are running OpenBSD 3.6
  • You want to install the files to run into /home/chrooted/tor
  • You do not want syslog entries from tor messages because if Tor misbehaves, you want it to affect the system as little as possible
  • You will use ksh as the shell for both your user account and root in these examples (nothing permanent).
  • You have a normal user who will do the build process called youruser who belongs to yourgroup.

Make adjustments accordingly if your setup differs.

These instructions are based on http://pestilenz.org/~bauerm/tor-openbsd-howto.html with some needed changes. It also includes a few parts from TorInChroot. The rest is new.

This tutorial is setup so that the root and non-root commands are clearly identified. It tries to do as much in non-root mode as possible.


Commands as root or sudo

Create initial chroot area

I use "/home/chrooted" so other applications can be located in subdirectories. I setup the directory for a user to install into. There could easily be an exploit in the Makefile so I don't build anything as root. We will fix the permissions later.

su - root
ksh
mkdir -p /home/chrooted/tor/{dev,etc,var/lib/tor,var/log/tor}
chmod -R 0700 /home/chrooted
chown -R youruser:yourgroup /home/chrooted

Optional: Turn on encrypted swap

Encrypting pages that go to swap is very easy in OpenBSD. Simply edit /etc/sysctl.conf and uncomment this line

#vm.swapencrypt.swap=1        # 1=Encrypt pages that go to swap.

and it will take affect the next time you reboot.

Or you can enable it interactively with sysctl -w vm.swapencrypt.enable=1

Install other needed packages

From the ports system

Install gpg which is necessary so you can verify the Tor package signature. Install gmake which is necessary for the Tor compilation. Install privoxy which is needed to clean HTTP traffic. Install dante to access IRC with irssi (use anywhere you would use tsocks).

cd /usr/ports/security/gpg && make install
cd /usr/ports/devel/gmake && make install
cd /usr/ports/net/privoxy && make install
cd /usr/ports/security/dante && make install

Or from the FTP pre-built packages

Or install the package from the FTP. These are the current versions. You may want to login to the FTP and verify these are the latest. Also note that the ports system may have updated versions that are not built into packages yet. You'll also need the dependencies for these files.

pkg_add -v ftp://ftp.openbsd.org/pub/OpenBSD/3.6/packages/i386/ \
           {gmake-3.80,gnupg-1.2.2p1,privoxy-3.0.3,dante-1.1.14}.tgz

Add a _tor user to chroot to

Note: Do NOT use -L daemon because that is meant for root only! It is more free than you want a user to be, despite the misleading name.

This will be entered into the system database. We will later make a copy for the chrooted version.

groupadd _tor
useradd -g _tor -d /nonexistent -c "tor anonymizer" -s /sbin/nologin _tor

Create a virtual filesystem for devices

Note: This part is from the TorInChroot wiki page.

Creates a virtual file system so that you do not have to change your "/home" mount permissions.

cd /home/chrooted/tor
dd if=/dev/zero of=devfs bs=1024 count=256
vnconfig -c -v /dev/svnd0c devfs
newfs /dev/svnd0c
mount /dev/svnd0c /home/chrooted/tor/dev

You can later release this device with umount /home/chrooted/tor/dev and then vnconfig -u /dev/svnd0c You can double check it is removed with vnconfig -l

Add necessary devices

You want to have "*random", "stdin", "stdout", "stderr", "null", and "zero". You should remove all others.

cd /home/chrooted/tor/dev
sh /dev/MAKEDEV random
sh /dev/MAKEDEV std
rm console drum klog kmem ksyms mem tty xf86

Commands as a normal user

Create temporary build space

For all commands, you should use ksh.

Assumed that your username is the creative youruser.

su - youruser
ksh
mkdir /home/youruser/tmp
cd /home/youruser/tmp

Download the source code and GPG signature

wget http://tor.eff.org/dist/tor-0.0.9.4.tar.gz{.asc,}

Verify the file

gpg --verify tor-0.0.9.4.tar.gz{.asc,}

If you cannot verify it

If this reports "Can't check signature: public key not found" then you need to get the key from a keyserver.

This should present you with a list of keys. In this case, only one from the developer Roger Dingledine. Enter '1' when the list appears and it will download the key into your keyring.

This makes an outgoing connection to port 11371 so make sure your firewall is setup properly.

gpg --keyserver pgp.mit.edu --search-keys 0x28988BF5

Retry verifying it

Now you can verify the download. If all is well, it will say Good signature from ...

gpg --verify tor-0.0.9.4.tar.gz{.asc,}

Compiling and installing Tor

Build the executable

Tell configure that you will install it in /. You will actually install the files into /home/chrooted/tor but Tor uses this prefix internally. If you said the prefix is /tor, then it will look for /tor/etc/tor/torrc and so on.

Also, build a static binary so we don't have to copy dynamic libraries to the chrooted area.

tar -zxvf tor-0.0.9.4.tar.gz
cd tor-0.0.9.4
env CFLAGS=-static ./configure --prefix=/

Install it into /home/chrooted/tor

Build and install it into /home/chrooted/tor. If you forget DESTDIR, then it will fail to install because the prefix is set to '/'. This is good because if you were using sudo/root and forgot it, it would install in the system "/etc", "/var" and so on.

gmake DESTDIR=/home/chrooted/tor install

Create password databases for chroot

Make a copy of "master.passwd" for tor. Use this method instead of using root and copying parts. That way you avoid costly mistakes with your system version. The most a user can do is copy it.

The "master.passwd" file has extra fields (login class, password change time, and account expiration time) that we need to insert into the line.

NOTE: This only works because you are not adding a user with a password. If you have a user with a password, the sed expression is not enough. The master.passwd will contain the encrypted version of the password. However, when there is no password, a "*" is in both passwd and master.passwd.

Create the template master.passwd file

cd /home/chrooted/tor/etc
grep "^_tor:" /etc/passwd | sed -e 's/:tor/::0:0:tor/' > newpasswd

Create the password files (master.passwd, passwd, and dbs)

This will create master.passwd, spwd.db, pwd.db, and passwd from newpasswd. The existing file newpasswd will be renamed to master.passwd. The fields we added with the above sed line will be removed so passwd is a 6th edition style password database.

pwd_mkdb -p -d /home/chrooted/tor/etc newpasswd

Create a group file

Copy over the _tor group from the system's group file

grep "^_tor:" /etc/group > group

Create a Tor config

Copy the sample to create a real config. Add lines that represent this setup.

cp tor/torrc.sample tor/torrc
cat <<EOF>> tor/torrc
User _tor
Group _tor
RunAsDaemon 1
EOF

Copy other network files

Copy network files that are useful. Note: localtime is a symlink so we should copy what it points to with "-H".

cp -H /etc/{resolv.conf,hosts,localtime} /home/chrooted/tor/etc/
chmod 744 /home/chrooted/tor/etc/{resolv.conf,hosts}

More commands as root

Fix permissions

With the above command, you'll notice there were errors because we executed it as a normal user. As root or with sudo, now set the proper permissions. Basically, make the chrooted area owned by root except for a few locations tor needs to write to.

NOTE: I use full paths here because you are root/sudo and a typo is costly if I put chown ... var and you misread it chown ... /var

su - root
ksh
cd /home/chrooted/tor
chown -R root:wheel /home/chrooted/tor
chown root:_shadow /home/chrooted/tor/etc/spwd.db
chmod 0755 /home/chrooted/tor/{dev,etc,var} /home/chrooted/tor/var/{lib,log}

Don't allow anyone but root into "/home/chrooted"

chown root:wheel /home/chrooted
chmod 0700 /home/chrooted

But allow "_tor" when it is in a chroot environment.

chmod 0755 /home/chrooted/tor

A select few files and directories must be writable by the "_tor" user.

chown -R _tor:_tor /home/chrooted/tor/var/{log,lib}/tor
touch /home/chrooted/tor/etc/tor/dirservers
chown _tor:_tor /home/chrooted/tor/etc/tor/dirservers

Start Tor

Start tor to see if it works

chroot -u _tor -g _tor /home/chrooted/tor /bin/tor -f /etc/tor/torrc

If Tor fails

If you get permission denied, make sure that the entire search path is readable by the user from /home/chrooted/tor up to the filename.

Configure Privoxy

Configure privoxy to forward everything through tor:

vi /etc/privoxy/config

search for the socks4a-forward section and add

forward-socks4a / localhost:9050 .

Start Privoxy

Start privoxy

/usr/local/sbin/privoxy

Configure Lynx or other web browser

Configure your browser to use http://localhost:8118/ as proxy for everything. For lynx, it's sufficient to set

export http_proxy="http://127.0.0.1:8118/"

Test out your configuration

You should be able to go to http://www.junkbuster.com/cgi-bin/privacy and your IP will be different than the one you normally see.

export http_proxy=http://127.0.0.1:8118/
lynx http://www.junkbuster.com/cgi-bin/privacy

Edit your dante config

tsocks is a popular recommendation for Tor users but it doesn't compile cleanly for OpenBSD users. It's not in the ports but it is simple to compile after a few changes (mostly changing function prototypes and removing the dependency on libdl).

Instead of going through that, you can use dante. Since dante is in the ports tree, it is very easy to setup. Here is a config to let you use Tor from irssi:

route {
        from: 0.0.0.0/0   to: 0.0.0.0/0  via: 127.0.0.1  port = 9050
        proxyprotocol: socks_v4
}

Now you can execute:

socksify irssi

This is strictly for client connections. Although there is a dante server, I am not using it. Dante's client just sends requests to Tor.

Optional: Edit your privoxy config again

As you will note, your user agent is not changed. Here is a quick and easy way to tell privoxy to munge some of your headers.

cat <<EOF>> /etc/privoxy/user.action
{ +hide-referrer{block} +hide-forwarded-for-headers +hide-user-agent{Faked} }
/
EOF

The items enclosed in { ... } define an action and the second line defines where it applies. A "/" means for all sites.

Edit /etc/rc.local to start both at boot

If it works, add startup code to /etc/rc.local. Tor should start first because privoxy will forward to it:

if [ -f /home/chrooted/tor/devfs -a -b /dev/svnd0c ]; then
     echo -n 'tordevfs: ';
     vnconfig -c -v /dev/svnd0c /home/chrooted/tor/devfs
     mount /dev/svnd0c /home/tor/dev
fi

if [ -x /home/chrooted/tor/bin/tor ]; then
     echo -n 'tor: ';
     chroot -u _tor -g _tor /home/chrooted/tor /bin/tor -f /etc/tor/torrc
fi

if [ -x /usr/local/sbin/privoxy ]; then
    echo -n 'privoxy: ';
    /usr/local/sbin/privoxy --user _privoxy._privoxy /etc/privoxy/config
fi

-- tyranix is at gmail