Arch Linux

klapauzius

Member

Registered: 2019-07-22

Posts: 44

tor in chroot - cannot change root directory

The systemd drop-in which can be found under [1] used to work just fine on my system. It looks like after updating tor to 0.4.4.5 it doesn't work any more.

So I changed the systemd unit file like this

nano /etc/systemd/system/tor.service.d/chroot.conf
# place in /etc/systemd/system/tor.service.d/chroot.conf
[Service]
Environment=SYSTEMD_LOG_LEVEL=debug
Environment=LC_ALL=C
User=root
ExecStart=
ExecStart=/usr/bin/sh -c "chroot  --userspec=tor:tor /opt/torchroot/ /usr/bin/tor -f /etc/tor/torrc"
KillSignal=SIGINT

to get a more elaborate output in order to find the reason for failure of starting the tor.service.

systemctl daemon-reload
systemctl start tor.service

gave me

Job for tor.service failed because the control process exited with error code.
See "systemctl status tor.service" and "journalctl -xe" for details.

and

journalctl -xe

gave me

tor[]: Oct 09 20:08:12.302 [notice] Tor 0.4.4.5 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1h, Zlib 1.2.11, Liblzma 5.2.5, and Libzstd>
tor[132686]: Oct 09 20:08:12.302 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warn>
tor[132686]: Oct 09 20:08:12.302 [notice] Read configuration file "/etc/tor/torrc".
tor[132686]: Configuration was valid
sh[132688]: chroot: cannot change root directory to '/opt/torchroot/': Operation not permitted
systemd[1]: tor.service: Main process exited, code=exited, status=125/n/a

I don't understand why "User=root" is not able to use chroot. I'm not sure if this is due to the last tor update or due to an update of chroot or some other part of the system (systemd?).

As root it is possible to start Tor like this:

chroot /opt/torchroot/ /usr/bin/tor -f /etc/tor/torrc &

As expected Tor drops root-privileges and runs with permissions of user tor then.

As root it is not possible to start Tor like this:

chroot --userspec=tor:tor /opt/torchroot/ /usr/bin/tor -f /etc/tor/torrc &

So I removed the --userspec part from the systemd drop-in. Still get the above mentioned error:

chroot: cannot change root directory to '/opt/torchroot/': Operation not permitted

Any help is appreciated.

Last edited by klapauzius (2020-10-10 07:22:52)

klapauzius

Member

Registered: 2019-07-22

Posts: 44

Re: tor in chroot - cannot change root directory

Tor's systemd file has changed:

nano /usr/lib/systemd/system/tor.service
# tor.service -- this systemd configuration file for Tor sets up a
# relatively conservative, hardened Tor service.  You may need to
# edit it if you are making changes to your Tor configuration that it
# does not allow.  Package maintainers: this should be a starting point
# for your tor.service; it is not the last point.

[Unit]
Description=Anonymizing overlay network for TCP
After=syslog.target network.target nss-lookup.target

[Service]
Type=notify
NotifyAccess=all
ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
ExecStart=/usr/bin/tor -f /etc/tor/torrc
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutSec=60
Restart=on-failure
WatchdogSec=1m
LimitNOFILE=32768

# Hardening
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH

[Install]
WantedBy=multi-user.target

As it says in the comments at the beginning of the file, there has been hardening settings introduced.

I assume that this makes chroot impossible.

If someone could verify my assumption I would be grateful.

niedxwiedx

Member

Registered: 2021-01-24

Posts: 3

Re: tor in chroot - cannot change root directory

I don't get it. It works when i run

# chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc

but at the same time the same command fails when run by systemd. Here is my overriding systemd conf:

[Service]
User=root
ExecStartPre=
ExecStart=
ExecStart=/usr/bin/sh -c "chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc"
KillSignal=SIGINT

loqs

Member

Registered: 2014-03-06

Posts: 17,327

Re: tor in chroot - cannot change root directory

@niedxwiedx what if you add CAP_SYS_CHROOT to the CapabilityBoundingSet ?

niedxwiedx

Member

Registered: 2021-01-24

Posts: 3

Re: tor in chroot - cannot change root directory

Still does not work, but your advice makes the difference, feels like a step in a right direction. Before i saw:

systemd[1]: Started Anonymizing overlay network for TCP.
sh[580]: chroot: cannot change root directory to '/opt/torchroot': Operation not permitted
systemd[1]: tor.service: Main process exited, code=exited, status=125/n/a
systemd[1]: tor.service: Failed with result 'exit-code'.
systemd[1]: tor.service: Scheduled restart job, restart counter is at 5.
systemd[1]: Stopped Anonymizing overlay network for TCP.
systemd[1]: tor.service: Start request repeated too quickly.
systemd[1]: tor.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Anonymizing overlay network for TCP.

After adding CAP_SYS_CHROOT i see:

systemd[1]: Started Anonymizing overlay network for TCP.
sh[4440]: Jan 27 22:01:19.802 [notice] Tor 0.4.4.6 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1i, Zlib 1.2.11, Liblzma 5.2.5, and Libzstd 1.4.8.
sh[4440]: Jan 27 22:01:19.802 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
sh[4440]: Jan 27 22:01:19.802 [warn] Tor was compiled with zstd 1.4.5, but is running with zstd 1.4.8. For safety, we'll avoid using advanced zstd functionality.
sh[4440]: Jan 27 22:01:19.802 [notice] Read configuration file "/etc/tor/torrc".
sh[4440]: Jan 27 22:01:19.804 [notice] Opening Socks listener on 127.0.0.1:9050
sh[4440]: Jan 27 22:01:19.804 [notice] Opened Socks listener on 127.0.0.1:9050
systemd[1]: tor.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: tor.service: Failed with result 'exit-code'.
systemd[1]: tor.service: Scheduled restart job, restart counter is at 5.
systemd[1]: Stopped Anonymizing overlay network for TCP.
systemd[1]: tor.service: Start request repeated too quickly.
systemd[1]: tor.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Anonymizing overlay network for TCP.

Also have tried with empty CapabilityBoundingSet as to not enforce limits on the capabilities of the process, but the outcome was same as 1st.

Last edited by niedxwiedx (2021-01-27 22:02:09)

loqs

Member

Registered: 2014-03-06

Posts: 17,327

Re: tor in chroot - cannot change root directory

I thought the empty set removed all capabilities

CapabilityBoundingSet=

and you used the following to allow all capabilities

CapabilityBoundingSet=~

From man 5 systemd.exec.

niedxwiedx

Member

Registered: 2021-01-24

Posts: 3

Re: tor in chroot - cannot change root directory

another step closer: it works with hardening settings commented out...