[tor-onions] domain socket as HiddenServicePort target -- permissions!?
Ivan Markin
twim at riseup.net
Wed Jun 15 19:32:21 UTC 2016
Hi Johannes,
Johannes:
> I'd like to use a unix domain socket as HiddenServicePort target so I
> can remove networking capabilities from my hidden service's server
> process. Tor does not connect to my socket, though. Tor's debug level
> logging does not show any (comprehensible) errors. This is very
> frustrating to debug!
>
> Because of the documentation of unix domain sockets in *other* parts of
> Tor, like ControlPort, SocksPort et. al., I suspect it is about
> permissions.
>
> How *exactly* are the requirements of ownership and permissions of the
> socket and its directory and why? This is totally under-documented!
A unix socket should be readable and writeable for the user under which
you're running tor ("tor", "_tor" etc). As well as for the server (nginx
or whatever). So you need some combination that provides 'rw-' access
for all relevant users ("nginx"/"www", "tor"/"_tor"...). E.g. this can
be accomplished by adding these users to some "onionservice" group or
whichever you like.
P.S. You can test connectivity with `curl` by running something like this:
$ curl --unix-socket /path/to/socket http:///
--
Sweet onions,
Ivan Markin
More information about the tor-onions
mailing list