1

I'm the operator of the XMPP server on darkness.su.The server runs on Centos 6.

I installed TOR and configured it to provide a hidden service access to the server.It was working fine at first,but ever since an update a few months ago it started giving me these errors:

    799  May 25 14:19:37.060 [warn] Permissions on directory /var/lib/tor/hidden_service are too permissive.
  800  May 25 14:19:37.060 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
  801  May 25 14:19:37.060 [err] Reading config failed--see warnings above.

I tried to check the logs,but I can't find them,and setting one doesn't seem to work.I've tried removing TOR and wiping all its folder,then reinstalling it.Same thing.

I'm installing through yum from TOR Project's repository.

With chmod 700 on the hidden service directory(owned by TOR):

Jul 24 21:39:05.573 [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied
Jul 24 21:39:05.573 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Jul 24 21:39:05.573 [err] Reading config failed--see warnings above

After changing directory owner to root:

Jul 24 22:11:36.236 [warn] /var/lib/tor/hidden_service/ is not owned by this user (_tor, 496) but by root (0). Perhaps you are running Tor as the wrong user?
Jul 24 22:11:36.236 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Jul 24 22:11:36.236 [err] Reading config failed--see warnings above.
Darkness.su
  • 21
  • 2

2 Answers2

1

You need to check three things:

  1. The file ownership should be correct.

    If you use Tor from torproject.org, this should be _tor. If you use Tor from EPEL or Fedora, this should be toranon.

    chown -R _tor:_tor /var/lib/tor

    or

    chown -R toranon:toranon /var/lib/tor

  2. The permissions should be correct.

    The hidden service directory must be readable only by the Tor user.

    find /var/lib/tor/hidden_service -type d | xargs chmod u+rwx,go=
find /var/lib/tor/hidden_service -type f | xargs chmod u+rw,go=

  3. SELinux contexts must be set correctly. In recent releases of RHEL/CentOS, Tor has an SELinux policy applied to it.

    To fix broken SELinux labels:

    restorecon -r -v /var/lib/tor
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • Tried it,but seems to give the same result(permission denied). – Darkness.su Jul 25 '15 at 17:00
  • What did you try exactly? – Michael Hampton Jul 25 '15 at 17:01
  • Did the chown and the SElinux command,as well as permissions (type f says there's a missing operand at the end by the way) and output from TOR doesn't seem to be different.. – Darkness.su Jul 25 '15 at 17:09
  • Have you actually looked at the ownership and permissions of the directories and files? What are they? Remember that I'm not the NSA and I can't see your screen! You have to be explicit. – Michael Hampton Jul 25 '15 at 17:19
  • Permissions are 700 all the way down and owner is _tor:_tor as I'm getting it from TOR's repos. – Darkness.su Jul 26 '15 at 00:27
  • @Darkness.su Oops. Not sure how I missed your last comment. It's been my experience over several years that the Tor builds distributed by Tor themselves are not well integrated into the operating system. The build in Fedora/EPEL is much better. Though the primary problem with running it is that you may have to wait for updates, since Fedora/EPEL builds go through QA. – Michael Hampton May 20 '16 at 21:59
1

Your issue is likely with SELinux. No, I'm not going to say to set it to permissive (I hate that default answer). It has to do with the subdirectory and the context in which the init.d script is executing (I think). You might be able to fix this by creating a real systemd entry, not 100% sure.

I had this issue, and I chose the simple solution which works since I only have 1 hidden service. Not sure if this causes a problem with multiples or not (I suspect it might). Alternatively, you can spend time debugging the context issue. That would be the best solution, but if you only have one service, you could just:

Change:

/var/lib/tor/hidden_service/

to: 

/var/lib/tor/

and be done.

woot
  • 211
  • 2
  • 7
  • I added the tag selinux to this just to see if someone else can give a better answer. – woot May 20 '16 at 21:54