wiki:doc/TorInChroot

Version 68 (modified by trac, 10 years ago) (diff)

--

TableOfContents? This document describes setting up Tor in a linux chroot environment. It has been tested with:

but should work on any linux distribution.

It will explain the compilation, installation and configuration of Tor on a linux-system. It will result in a Tor-Installation which will be run in a chroot-environment by the special user tor. The homefolder of this user will be /home/tor and the path of the chroot-environment will be /home/tor/chroot. Tor itself will be installed to /home/tor/chroot/tor and its configuration-file will be in /home/tor/chroot/tor/etc/tor/torrc.

This so installed Tor will be able to work as a Tor-client and/or server.

Installation

First you need to get a copy of the latest Source tarballs of Tor and unpack it:

wget http://www.torproject.org/dist/tor-0.2.0.34.tar.gz.asc
wget http://www.torproject.org/dist/tor-0.2.0.34.tar.gz
gpg tor-0.2.0.34.tar.gz.asc
tar -xzvf tor-0.2.0.34.tar.gz

Now you can configure and compile it:

cd tor-0.2.0.34
./configure --prefix=/tor
make

Next you should create a special user which will later run the tor process. On debian or debian-based distributions you can create the user with:

sudo adduser --disabled-login --gecos "Tor user,,," tor

On other distributions with other adduser implementations the above could fail. If so you can take a look at the man-page of your adduser command or use the low-level useradd command to create it:

sudo useradd -d /home/tor -s /bin/false tor

After that we move the compiled tor-version to the chroot-directory:

TORCHROOT=/home/tor/chroot
sudo mkdir -p $TORCHROOT
sudo make install prefix=$TORCHROOT/tor exec_prefix=$TORCHROOT/tor

Chroot-Setup

Shared libraries

We need to copy all libaries which tor needs into the chroot-environment. Tor needs libevent which might be available in your distribution with the packages: libevent1 and libevent-dev or just libevent. If it's not available for your distribution compile it from source: http://www.monkey.org/~provos/libevent/ . If you have the libevent go on to copy over the required libraries:

sudo mkdir $TORCHROOT/lib
sudo cp `ldd $TORCHROOT/tor/bin/tor | awk '{print $3}'|grep "^/"` $TORCHROOT/lib
sudo cp /lib/libnss* /lib/libnsl* /lib/ld-linux.so.2 /lib/libresolv* /usr/lib/libnss3.so /usr/lib/libgcc_s.so.* $TORCHROOT/lib

Device nodes

Tor needs access to /dev/(u)random and /dev/null if run as a daemon so you need to create them in the chroot-environment:

sudo mkdir $TORCHROOT/dev
sudo mknod -m 644 $TORCHROOT/dev/random c 1 8
sudo mknod -m 644 $TORCHROOT/dev/urandom c 1 9
sudo mknod -m 666 $TORCHROOT/dev/null c 1 3

Configuration files

Now some files which are needed by some functions are copied into the chroot-environment:

sudo mkdir $TORCHROOT/etc
sudo sh -c "grep ^tor /etc/passwd > $TORCHROOT/etc/passwd"
sudo sh -c "grep ^tor /etc/group > $TORCHROOT/etc/group"
sudo cp /etc/nsswitch.conf /etc/host.conf /etc/resolv.conf /etc/hosts $TORCHROOT/etc
sudo cp /etc/localtime $TORCHROOT/etc

Tor-Configration

We need to copy a tor-configuration-skeleton on its place in the chroot:

sudo cp $TORCHROOT/tor/etc/tor/torrc.sample $TORCHROOT/tor/etc/tor/torrc

Since chroot needs to be run as root, but Tor does not we configure Tor to drop its privileges after start. With adding the following line into the $TORCHROOT/tor/etc/tor/torrc file:

User tor

we tell Tor to drop its priviledges to the user with the name tor. We also have to enable the data-directory explicitly:

DataDirectory /var/lib/tor

and should configure the Pid-and Log-file:

PidFile /var/run/tor/tor.pid
Log notice file /var/log/tor/log

These directories need to be created and owned by the user who shall run Tor:

sudo mkdir -p $TORCHROOT/var/run/tor
sudo mkdir -p $TORCHROOT/var/lib/tor
sudo mkdir -p $TORCHROOT/var/log/tor
sudo chown tor:tor $TORCHROOT/var/run/tor
sudo chown tor:tor $TORCHROOT/var/lib/tor
sudo chown tor:tor $TORCHROOT/var/log/tor

Testing

You are now ready with setting up a Tor-Installation in a chroot environment and can start that tor-instance with:

sudo chroot $TORCHROOT /tor/bin/tor

This should produce the following output:

Apr 10 11:42:22.466 [notice] Tor v0.2.0.34 (r18423). This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686)
Apr 10 11:42:22.477 [notice] Initialized libevent version 1.4.8-stable using method epoll. Good.
Apr 10 11:42:22.479 [notice] Opening Socks listener on 127.0.0.1:9050}}}

You can abort it now again with pressing CTRL+c on your keyboard. As last adivce you should add:
{{{
RunAsDaemon 1
}}}
to your Tor-configuration. This is specially needed by some of the following init-Scripts.

You are now finished and can configure your tor-chroot installation in the file '''/home/tor/chroot/tor/etc/tor/torrc''' like setting it up as a relay and so..

= Starting on boot =

This part is quite distribution specific, but modifications to the given init-scripts should be applicable to other Linux distributions
and *nix operating systems.

Here are init-scripts which allow it easily to start the tor-chroot installation on boot.

== Archlinux ==

Move the following file to '''/etc/rc.d/''' and give it a name you like, eg: ''tor-chroot''. After that you can start and stop tor with:
{{{
sudo /etc/rc.d/tor-chroot start|stop|restart
}}}

To make it autostart on boottime add tor-chroot to the DAEMONS list in your '''/etc/rc.conf'''.

__Init-Script__:
{{{
#!/bin/bash

. /etc/rc.conf
. /etc/rc.d/functions

TORCHROOT=/home/tor/chroot
# Relative to TORCHROOT:
TORPATH=/tor/bin/tor


PID=`pidof -o %PPID $TORPATH`
case "$1" in
	start)
		stat_busy "Starting Tor Daemon"
		[ -z "$PID" ] && /usr/sbin/chroot $TORCHROOT $TORPATH &>/dev/null
		if [ $? -gt 0 ]; then
			stat_fail
		else
			add_daemon tor
			stat_done
		fi
		;;
	stop)
		stat_busy "Stopping Tor Daemon"
		[ ! -z "$PID" ] && kill $PID &> /dev/null
		if [ $? -gt 0 ]; then
			stat_fail
		else
			rm_daemon tor
			stat_done
		fi
		;;
	restart)
		$0 stop
		sleep 3
		$0 start
		;;
	*)
		echo "usage: $0 {start|stop|restart}"
esac
exit 0
# vim: ft=sh ts=2 sw=2

}}}

== Debian ==
This downloads some modifications to Debian's offical Tor init script and a small wrapper which will perform the chroot. The scripts are not on the
wiki so that they are not maliciously modified: 
{{{
sudo wget -O /etc/init.d/tor http://www.cl.cam.ac.uk/users/sjm217/projects/tor/tor.init
sudo wget -O /etc/default/tor http://www.cl.cam.ac.uk/users/sjm217/projects/tor/tor.default
sudo wget -O $TORCHROOT/tor/bin/tor-chroot http://www.cl.cam.ac.uk/users/sjm217/projects/tor/tor-chroot
sudo chmod 755 /etc/init.d/tor etc/default/tor $TORCHROOT/tor/bin/tor-chroot
}}}
After that you can start and stop tor with:
{{{
sudo /etc/init.d/tor start|stop|restart|reload|force-reload
}}}
Running `update-rc.d` will set up the start and stop links in the correct runlevel directories to make it autostart while booting:
{{{
sudo update-rc.d tor defaults 19
}}}




= Final Notes =
 * Presumably `torify` will be run outside of the chroot, but its config file location is set to be relative to the chroot by .`/configure`. I can't think of any neat way to fix this.

 * The library situation is a bit fragile. There may be some other libraries, like `libnss_compat` which don't show up in `ldd` but are required. The above has been tested for running as client and server and should work with them for the given tor-version. Later tor-versions may need other files and libraries.

 * If you put shared libraries outside of `/lib` and `/usr/lib` you need to set `LD_LIBRARY_PATH`, but sudo drops the `LD*` environment variables for security reasons. If you want to put libraries in, say `/tor/lib`, you need something like: `sudo su -c "export LD_LIBRARY_PATH=/tor/lib; chroot $TORCHROOT /local/bin/tor"`

 * On http://northernsecurity.net/download/ you can find some ready-to-go scripts to install tor in a chroot-environment, which have been claimed to have been tested working on Ubuntu Hardy.