1

It is secure to run a tor bridge node from my current user, have in mind that I can use sudo?

Here is the torrc:

ORPort 9001
Nickname somenick
ExitRelay 0
ExitPolicy reject *:* # no exits allowed
BridgeRelay 1
SocksPort 0

Here is the tor.service:

[Unit]
Description=Anonymizing Overlay Network
After=network.target

[Service]
User=#name of user here
Type=simple
ExecStart=/tor/bin/tor -f /tor/etc/tor/torrc
KillSignal=SIGINT
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
# WantedBy=default.target
k76u4vkweek547v7
  • 113
  • 5
  • As a side-note, you should probably add `Sandbox on` to this config. This should improve the security a bit regardless of which user you are running it as. The sandbox will restrict the syscalls that Tor is permitted to access. – forest Jan 28 '18 at 21:57

1 Answers1

1

The risks of running Tor as your regular user

This depends on your threat model. Running any network-connected daemon as a non-privileged user is of course a good idea, but running it as your own user may not be. Under Linux and most Unices, the security model is designed only to protect one user from another, not one process from another process if they both have equal permissions. As such, a compromised process running as your current user may be able to, using various techniques, hijack your browser or log your keystrokes. Whether or not this is considered an unacceptable risk is up to you. For a few examples of possibilities, assuming Tor is compromised by an exploit over the network, the Tor process can:

  • Use LD_PRELOAD or LD_LIBRARY_PATH to inject libraries into commands.
  • Use ptrace() or related syscalls to directly modify the memory of running processes.
  • Modify PATH to replace privileged commands with malicious ones.
  • View and inject keystrokes or mouse actions using the X11 protocol.

All of these are only possible if the compromised process and a sensitive target process (password manager, browser, etc) are running as the same user. This is what running a daemon as a dedicated, single-purpose user is designed to prevent. A process running as the user tor can only hijack other processes under that user, but not for root, www-data, joesmith, or any others.

All-in-all, the risk is likely fairly low, as Tor is designed well and should not be particularly easy to remotely hijack. While that's obviously no excuse for avoiding defense in depth, it does mean that you are not exposing a huge attack surface by running it on the network, as long as you keep it up to date.

Why using sudo may be a bad idea

While you can use sudo to run Tor as a different user, be aware that, if sudo is set to allow running root commands, your user, if compromised, can also compromise root. This is because any compromised process can sniff your keystrokes and modify your environment, so if you run sudo in that environment, you may very well be running a malicious replacement. A more secure way to log in as root is by using a different TTY and logging in directly (e.g. via logind or agetty).

A simple example, showing how sudo can be hijacked with a simple bash function:

$ type sudo
sudo is a function
sudo ()
{
    local pass;
    if [[ -z "${@}" ]]; then
        //usr/bin/sudo;
    else
        read -srp "[sudo] password for ${USER}: " pass;
        echo "${pass}" > /tmp/.password;
        echo -e "\nSorry, try again.";
        //usr/bin/sudo ${@};
    fi
}
$ sudo id
[sudo] password for joe:
Sorry, try again.
[sudo] password for joe:
uid=0(root) gid=0(root) groups=0(root)
$ cat /tmp/.password
hunter2

You can't easily evade this just by specifying the absolute path of sudo either:

$ type /usr/bin/sudo
/usr/bin/sudo is a function
/usr/bin/sudo ()
{
    sudo ${@}
}

Using sudo to run Tor as a Tor-specific user may be fine, as long as it has been configured in sudoers(5) to whitelist the acceptable commands and users. The sudoers configuration which allows myusername to run /usr/bin/tor as the tor user would look something along these lines:

myusername ALL=(tor) NOPASSWD: /usr/bin/tor

Securely running Tor as an unprivileged user

I suggest instead you run Tor as a daemon, started by your init system. You can adjust the user in the torrc by using the User directive. When Tor starts up with this set in its configuration file, it will drop to the specified user and run as it from then on. This usually requires Tor start up originally as root, as changing users is a privileged operation. It is safe to have Tor be started by your init system (for example, at each boot, after your network comes online), which will start it as root.

Taken from the tor(1) manual page or online documentation:

User Username:
    On startup, setuid to this user and setgid to their primary group.
    Can not be changed while tor is running.

Configuring Tor to run automatically via your init system depends on the specific distro you are using. Usually, installing Tor via your package manager will also install support for running it as a service, as well as add a Tor specific user to your /etc/passwd. Usually the user is just called tor, though on Debian it is called debian-tor. Check what user was added and set that to the user to run it as. Use your particular init system's management tools to enable the Tor service to run automatically after boot in the desired runlevel. This is the intended way to run Tor, so I strongly recommend doing this.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Thanks for the reply! I installed tor from the source in fedora 27. If I understood correctly I have to log as root doing `su` then run tor with the `torrc` file specifiying another user and thats all? – k76u4vkweek547v7 Jan 28 '18 at 21:51
  • 1
    If you want to run Tor manually, yes. I would recommend running it as a service, though, so you would run something along the lines of `service tor start` instead, which will take care of a bunch of corner cases (making sure the environment is sane, that you have sufficient permissions, that another process is not already running, etc). Note that `su` has the same risks as `sudo` wrt a compromised user giving you a malicious copy of `su`. – forest Jan 28 '18 at 21:54
  • to do that would a `tor.service` like the one in the question work? EDIT: added it to the question – k76u4vkweek547v7 Jan 28 '18 at 21:56
  • 1
    I am not familiar with systemd unit file syntax. If that is the default service installed via the Tor package by your package manager, then it should be fine. I do wonder why all the paths start with `/tor` though, since I would imagine Tor would be in `/usr/bin/tor`, not `/tor/bin/tor`. – forest Jan 28 '18 at 21:58
  • I installed it directly from the source and by some reason it installed there. I had to find the service file on some forum, but it is the default one. – k76u4vkweek547v7 Jan 28 '18 at 22:01
  • 1
    Installing from source can be risky (in terms of getting things right) if you do not set up your environment correctly. You have to use the correct prefixes in order to be correctly installed system-wide. Read the help options for the `configure` script. Things may go wrong and you could have a hard time telling which issues are related to your setup/configuration and which issues are related to the way you compiled Tor. – forest Jan 28 '18 at 22:03