Tor hidden service settings failing to allow tor.service to start on CentOS/Fedora
Solution 1
A few of the fixes that have been posted in answer to this question do work, but with variable rates of success.
One fix I have come across which works consistently is to load a few exceptions into SELinux.
Step 1
Create a tor-selinux-workaround.cil
file with the following content:
(typeattributeset cil_gen_require tor_t)
(allow tor_t self (capability (dac_override dac_read_search)))
Step 2
Import that file into SELinux with the following command:
sudo semodule -i tor-selinux-workaround.cil
This should work flawlessly for up-to-date Fedora and CentOS systems.
More Info
For a more complete explanation, see my post here: https://alexhaydock.co.uk/tech/fix-tor-onion-services-on-centos-fedora
Solution 2
I just puzzled through this problem myself, no thanks to systemd's horrible lack of debugging ability.
It turns out that systemd was interfering in my case. It was allowing the toranon
user to read /var/lib/tor/
but not its subdirectory /var/lib/tor/hidden_service
on startup. Thus, if I started up tor as root using the same command it would work, but starting under systemd caused it to fail cryptically. The permissions on the directory were correct, which was all the more baffling.
The way I fixed the problem was to change my torrc
file write the hidden service files to a directory that systemd allowed the process to write. That is, you may be able to change your line from:
HiddenServiceDir /var/lib/tor/sshservice/
to
HiddenServiceDir /var/lib/tor/
and everything may finally work.
The other option would probably be to tell systemd to allow the process to read the subdirectory by changing the systemd configuration file for tor.service
, likely in:
/usr/lib/systemd/system/tor.service
And changing the ReadWriteDirectories
option to include the subdirectory you're creating, possibly by adding a line:
ReadWriteDirectories=/var/lib/tor/sshservice/
Or adding that path as a space-separated list to one of the existing entries in that file. (It already has two different ReadWriteDirectories
lines but I'm not sure if the second one works as no logs are getting written.) According to the documentation for systemd, the entry should be a space-separated list of absolute paths like:
ReadWriteDirectories=/var/lib/tor /var/lib/tor/sshservice /var/log/tor
Although I haven't tried making this more obscure change, silently hoping that systemd will die in a fire so we don't have to maintain a third set of files and permissions.
Related videos on Youtube
Alex Haydock
Updated on September 18, 2022Comments
-
Alex Haydock over 1 year
I am attempting to set up a Tor hidden service on CentOS 7 (with systemd), using the
tor
package from the EPEL repository.Previously this was working fine until a few days ago when it stopped working. Nothing on the system was restarted at this time, though automatic updates are enabled via yum-cron so perhaps something updated.
However, for what it's worth, I have also seen this issue on a mostly-stock installation of Fedora Server and on Fedora Workstation.
Now when I attempt to start the tor service with the hidden service lines in the
/etc/tor/torrc
file, it fails to start.I have been checking error messages using
journalctl -xn
, and they are not consistent - however the primary errors seem to be:Nov 09 22:05:18 hostname tor[7561]: Nov 09 22:05:18.245 [warn] Directory /var/lib/tor/sshservice/ cannot be read: Permission denied
and sometimes:
Nov 09 22:12:33.119 [warn] /var/lib/tor/sshservice/ is not owned by this user (root, 0) but by toranon (997). Perhaps you are running Tor as the wrong user
I have ensured the following about the entire
/var/lib/tor
path, but with no success:- Directory is owned by user/group
toranon
(default tor user for the EPEL package) - Permissions are set appropriately (I have tried 700, 770, 600, 660) on the directory.
- SELinux contexts are set appropriately for the directory and I have verified this using
restorecon
.
Other info:
- If I change ownership of the directory to root, I recieve the same "wrong user" message as before, but with the usernames reversed.
- I have attempted to disable SELinux completely and verified that the tor service still does not start.
- The hidden service directory is already populated with the private key and hostname files, and they were created by the tor daemon on this system. This configuration previously fully worked.
- If I completely remove the
HiddenServiceDir
andHiddenServicePort
lines from the config, tor starts up as expected.
Some potentially helpful output from
/etc/tor/torrc
:# Do not run as client SocksPort 0 #Run Tor only as a relay and do not create a local SOCKS proxy SocksPolicy reject * # Define hidden service for SSH HiddenServiceDir /var/lib/tor/sshservice/ HiddenServicePort 44674 127.0.0.1:22 #Redirect local SSH port to a nonstandard public port
ls -Z
of/var/lib/tor
:[root@sagan tor]# ls -Z -rw-------. toranon toranon system_u:object_r:tor_var_lib_t:s0 cached-certs -rw-------. toranon toranon system_u:object_r:tor_var_lib_t:s0 cached-microdesc-consensus -rw-------. toranon toranon unconfined_u:object_r:tor_var_lib_t:s0 cached-microdescs -rw-------. toranon toranon unconfined_u:object_r:tor_var_lib_t:s0 cached-microdescs.new -rw-------. toranon toranon unconfined_u:object_r:tor_var_lib_t:s0 lock drwx------. toranon toranon system_u:object_r:tor_var_lib_t:s0 sshservice -rw-------. toranon toranon unconfined_u:object_r:tor_var_lib_t:s0 state
Not sure what might be causing this issue, but I suspect it's something to do with the precise configuration of systemd. I have experimented with commenting and removing some of the lines in the default systemd
tor.service
file, but with no success.Currently I am attempting to start tor using
systemctl start tor
using the default systemdtor.service
file shipped with CentOS.Any ideas? Help would be greatly appreciated.
-
Chloe about 7 yearsYou have to start TOR with
service tor start
. Then it runs astoranon
and permissions are aligned.
- Directory is owned by user/group
-
Alex Haydock over 8 yearsThanks! Can confirm that the same solution you opted for also works for me. I had hoped to use the method that involved editing the systemd service file (as this current solution will only work for a single hidden service), however that didn't seem to work for me. I can verify that having multiple instances of
ReadWriteDirectories
vs concatenating them on a single line does not make any difference though - systemd seems to concatenate them itself (as seen when you runsystemctl show tor
after running asystemctl daemon-reload
). I'll keep playing around and let you know if I succeed. -
m3nda about 7 yearsIf you read carefully, you're advised to not use
CAP_DAC_READ_SEARCH
. It's far better to relax perms for the folder, and adding root to the allowed groups to access dirs. -
Michael Hampton almost 6 yearsThis is a workaround, but if you have to mess with DAC_OVERRIDE it indicates something else is wrong and the solution lies elsewhere. In this case, you'll find it in Alan Eliasen's answer. Though to be fair, that's just a more sane workaround. The real fix is to fix systemd...