Closed nyxnor closed 2 years ago
so on tails, to run tor-ctrl, need to run it as the tor user (debian-tor)
this uses /run/tor/control
:
amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl GETCONF User
[sudo] password for amnesia:
250 OK
250 User=debian-tor
250 closing connection
and port 9052:
amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s 9052 GETCONF User
[sudo] password for amnesia:
250 OK
250 User=debian-tor
250 closing connection
port 9051 does not work:
amnesia@amnesia:~/tor-ctrl$ sudo -u debian-tor tor-ctrl -s 9051 GETCONF User
[sudo] password for amnesia:
250 OK
510 Command filtered
250 closing connection
the filter in fact blocks it, it is not even sent to the controller as tested with SIGNAL NEWNYM
.
the problem was not the socket, any socket should work, the problem is by whom they are owned and if owned by another user, such as the tor user, need to run tor-ctrl as the tor user. Documenting this.
Is it dangerous? Not sure.
tor-ctrl fails on TailsOS if letting it get the first socket because
/run/tor/control
, even though the permissions are the same as on debian (srw-rw----
) and conf:files:
tests:
Also the torrc is owned by user and group
debian-tor
, so even though on/lib/systemd/system/tor@default.service
has--defaults-torrc
and-f
(ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
), it wil never read /etc/tor/torrc because it will receive permission denied because/lib/systemd/system/tor@default.service.d/writable-etc-tor.conf
has:and
/etc/apparmor.d/system_tor
giver permission to tor to write to/etc/tor
:/etc/tor/* w,
and running --verify-config:
and on
/etc/tor/torrc
, the control socket set there isControlPort 127.0.0.1:9052
. Which is only connectable if run as the tor user or root:And even though the I couldn't find the
ControlPort 127.0.0.1:9051
on any configuration file that tor starts with:the command is filtered on port
9051
even if running as root or the tor user:Tails filter commands on port 9051 (and can be run as the user amnesia), but not on port 9052 (which can only be used as the tor user or root)
Besides the filter port 9051, it does not work as expected, signal newnym does not change the circuits, but on 9052, which is not filtered, it works. Tested using:
So, I could cycle the available control sockets trying to connect to all of them, and if any connect, use it, else fail obviously. Using multiple control ports/sockets means that every socket can be used to connect to the controller, so why not? tor-ctrl is alreday