FS#76545 - [tor] config changes needed for control socket access by external apps like nyx
Attached to Project:
Community Packages
Opened by Tripple Moon (TriMoon) - Sunday, 13 November 2022, 09:04 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:09 GMT
Opened by Tripple Moon (TriMoon) - Sunday, 13 November 2022, 09:04 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:09 GMT
|
Details
Description:
For a full description and fixes please see https://forum.manjaro.org/t/tor-config-changes-needed-for-control-socket-access-by-external-apps-like-nyx/126435 TLTD; - Additions needed in `tor.service`: ``` [Service] User=tor Group=tor RuntimeDirectory=tor ``` - Changes needed in `/etc/tor/torrc` 1. Comment out the line that says `User tor` at top, because Tor will barf otherwise. (or just remove it entirely) (Tor is already started as user `tor` by systemd in this case, so Tor can’t change it’s UID/GUID again :wink:) 2. To make adjustments by the admin easier: You should un-comment the last line in `/etc/tor/torrc` that says `%include /etc/torrc.d/*.conf` so it reads extra config snippets placed by the admin by default. |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:09 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/tor/issues/2
Saturday, 25 November 2023, 20:09 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/tor/issues/2
I re-created the report (https://bugs.archlinux.org/task/76546) using the link on that package page instead, so closing this one..
[1] https://wiki.archlinux.org/title/Tor#Open_Tor_ControlSocket
Yes it needs 1(one) line commented out of the torrc, but that's to allow the unit file version to work as expected...
Tobe clear:
That wiki-page documents how to configure tor to use a control socket,
Whereas this configures systemd, to start tor as a user (tor:tor) instead of (root:root), plus create /run/tor which is only available while the service is active...
And allows to use this in torrc or it's snippets:
```
# Control port/socket
#ControlPort 9051
#ControlSocket /var/run/tor/control WorldWritable RelaxDirModeCheck
ControlSocket /var/run/tor/control GroupWritable RelaxDirModeCheck
CookieAuthentication 1
CookieAuthFile /var/run/tor/control_auth_cookie
CookieAuthFileGroupReadable 1
```
With that and the requested changes applied, you can connect to its control socket using fe. `sudo -g tor nyx`
NOTE: This secures tor more because it doesn't run as ROOT anymore...
For those that are concerned with the hard-coded User/Group in the service file, don't be because you can override those using drop-ins as usual for systemd :)