[tor-onions] domain socket as HiddenServicePort target -- permissions!?

Johannes tor-l1sts at ko-sys.com
Wed Jun 15 15:31:05 UTC 2016


Hello gents,

I'd like to use a unix domain socket as HiddenServicePort target so I
can remove networking capabilities from my hidden service's server
process. Tor does not connect to my socket, though. Tor's debug level
logging does not show any (comprehensible) errors. This is very
frustrating to debug!

Because of the documentation of unix domain sockets in *other* parts of
Tor, like ControlPort, SocksPort et. al., I suspect it is about
permissions.

How *exactly* are the requirements of ownership and permissions of the
socket and its directory and why? This is totally under-documented!

I've tried to look at the sources
(https://trac.torproject.org/projects/tor/ticket/11485), but I could not
make much sense of it. I've manage to somehow create a socket that
worked, but firstly there are so many variables so for the love of gods
I was not able reproduce it and secondly as far as I can recall that
were perms that required elevated privileges to get them set, which is
totally out of the question for production. I'd like to elaborate more
on what did work, but I am truly lost!

Version: Tor 0.2.7.6 (git-605ae665009853bd)

TIA,
Johannes


More information about the tor-onions mailing list