Tor隐藏服务文件权限问题

tag-icon tag-icon tor
Tor隐藏服务文件权限问题

我已经按照以下说明在 Ubuntu 14.04 上安装了 Torhttps://www.torproject.org/docs/debian.html.en

我已配置好基本中继并开始工作,但隐藏服务 private_key 和主机名文件的文件权限存在问题。Tor 以 root 身份启动,它会执行一些神奇的操作,然后它会自行退出并以“debian-tor”身份运行。

文件权限:

sudo ls -l /home/debian-tor /home/debian-tor/tor_keys =>
/home/debian-tor:
total 4
drwx------ 2 debian-tor debian-tor 4096 Jul 17 10:59 tor_keys

/home/debian-tor/tor_keys:
total 8
-rw------- 1 debian-tor debian-tor  23 Jul 17 10:59 hostname
-rw------- 1 debian-tor debian-tor 891 Jul 16 17:52 private_key

作为服务启动(不起作用):

sudo service tor start =>
[notice] Tor 0.2.6.10 (git-71459b2fe953a1c0) opening new log file.
[warn] Could not open "/home/debian-tor/tor_keys/private_key": Permission denied
[warn] Error reading private key from "/home/debian-tor/tor_keys/private_key"
[err] Error loading private key.
[warn] Error loading rendezvous service keys
[err] set_options(): Bug: Acting on config options left us in a broken state. Dying.

从命令行启动(有效!):

sudo tor =>
[notice] Tor 0.2.6.10 (git-71459b2fe953a1c0) opening log file.
[notice] Tor v0.2.6.10 (git-71459b2fe953a1c0) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1f and Zlib 1.2.8.
[notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
[notice] Read configuration file "/etc/tor/torrc".
[notice] Opening Control listener on 127.0.0.1:9052
[notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
[notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
[notice] Bootstrapped 0%: Starting
...
[notice] Bootstrapped 100%: Done

测试让其他用户拥有这些文件(这表明 tor 确实以 debian-tor 的身份运行):

sudo chown -R ubuntu_user:ubuntu_user /home/debian-tor
sudo service tor start =>
 * Checking if tor configuration is valid
Jul 17 12:23:06.811 [notice] Tor v0.2.6.10 (git-71459b2fe953a1c0) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1f and Zlib 1.2.8.
Jul 17 12:23:06.811 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 17 12:23:06.811 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Jul 17 12:23:06.811 [notice] Read configuration file "/etc/tor/torrc".
Jul 17 12:23:06.814 [warn] /home/debian-tor/tor_keys is not owned by this user (debian-tor, 108) but by ubuntu_user (1000). Perhaps you are running Tor as the wrong user?
Jul 17 12:23:06.814 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Jul 17 12:23:06.814 [err] Reading config failed--see warnings above.

尝试让 Tor 重新创建密钥:

sudo rm -r /home/debian-tor/tor_keys
sudo service tor start =>
[notice] Tor 0.2.6.10 (git-71459b2fe953a1c0) opening log file.
[warn] Error creating directory /home/debian-tor/tor_keys: Permission denied
[warn] Error loading rendezvous service keys
[err] set_options(): Bug: Acting on config options left us in a broken state. Dying.

运行sudo tor将创建文件夹并在其中写入主机名和私钥文件。

所以我的问题是,我该如何开始sudo service tor start工作?不知何故,它既没有 root 权限,也没有 debian-tor 权限来写入,或者我可能遗漏了什么。或者我不应该使用脚本/etc/init.d/tor来管理它?

答案1

答案很简单 - AppArmor。它会限制您服务的资源。您可以在此处找到详细信息man apparmor或查看此处http://wiki.apparmor.net/index.php/QuickProfileLanguage

因此,您必须向 /etc/apparmor.d/local/system_tor 添加规则

# Site-specific additions and overrides for system_tor.
# For more details, please see /etc/apparmor.d/local/README.

/home/debian-tor/tor_keys/* rwmk,

然后sudo service apparmor restart 它就会像 sharm 一样发挥作用。

sudo service tor restart

sudo service tor status

tail /var/log/tor/log

torify links my_abracadabra.onion

等等...

相关内容