FS#76545 - [tor] config changes needed for control socket access by external apps like nyx

Attached to Project: Community Packages
Opened by Tripple Moon (TriMoon) - Sunday, 13 November 2022, 09:04 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:09 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Lukas Fleischer (lfleischer)
Levente Polyak (anthraxx)
kpcyrd (kpcyrd)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

For a full description and fixes please see
https://forum.manjaro.org/t/tor-config-changes-needed-for-control-socket-access-by-external-apps-like-nyx/126435

TLTD;
- Additions needed in `tor.service`:
```
[Service]
User=tor
Group=tor
RuntimeDirectory=tor
```

- Changes needed in `/etc/tor/torrc`
1. Comment out the line that says `User tor` at top, because Tor will barf otherwise. (or just remove it entirely)
(Tor is already started as user `tor` by systemd in this case, so Tor can’t change it’s UID/GUID again :wink:)

2. To make adjustments by the admin easier:
You should un-comment the last line in `/etc/tor/torrc` that says `%include /etc/torrc.d/*.conf` so it reads extra config snippets placed by the admin by default.
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:09 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/tor/issues/2
Comment by Tripple Moon (TriMoon) - Sunday, 13 November 2022, 09:21 GMT
Seems the default template for bug reports via https://archlinux.org/packages/community/x86_64/tor/ uses 'Category: Packages' instead, so maybe the category of this report should be changed?
I re-created the report (https://bugs.archlinux.org/task/76546) using the link on that package page instead, so closing this one..
Comment by Toolybird (Toolybird) - Sunday, 13 November 2022, 22:16 GMT
This is already covered in the wiki [1]. Not sure it's worth implementing in the pkg itself..

[1] https://wiki.archlinux.org/title/Tor#Open_Tor_ControlSocket
Comment by Tripple Moon (TriMoon) - Tuesday, 15 November 2022, 08:42 GMT
That is nonsense because this addresses a systemd-unit file and NOT the torrc file.
Yes it needs 1(one) line commented out of the torrc, but that's to allow the unit file version to work as expected...

Tobe clear:
That wiki-page documents how to configure tor to use a control socket,
Whereas this configures systemd, to start tor as a user (tor:tor) instead of (root:root), plus create /run/tor which is only available while the service is active...

And allows to use this in torrc or it's snippets:
```
# Control port/socket
#ControlPort 9051
#ControlSocket /var/run/tor/control WorldWritable RelaxDirModeCheck
ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck
CookieAuthentication 1
CookieAuthFile /var/run/tor/control_auth_cookie
CookieAuthFileGroupReadable 1
```

With that and the requested changes applied, you can connect to its control socket using fe. `sudo -g tor nyx`

NOTE: This secures tor more because it doesn't run as ROOT anymore...
For those that are concerned with the hard-coded User/Group in the service file, don't be because you can override those using drop-ins as usual for systemd :)

Loading...