Bug 1380682 - Recent tor breaks hidden services
Summary: Recent tor breaks hidden services
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: tor
Version: epel7
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Nobody's working on this, feel free to take it
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-30 10:27 UTC by Timo Schoeler
Modified: 2020-11-05 09:32 UTC (History)
4 users (show)

Fixed In Version: tor-0.2.8.8-1.fc24 tor-0.2.8.8-1.fc25 tor-0.2.8.8-1.fc23 tor-0.2.8.8-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-04 18:49:56 UTC
Type: Bug


Attachments (Terms of Use)

Description Timo Schoeler 2016-09-30 10:27:26 UTC
Description of problem:

When starting tor, it fails with

[warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied

This is not correct, permissions are okay:

  File: ‘/var/lib/tor/hidden_service/’
  Size: 39        	Blocks: 0          IO Block: 4096   directory
Device: fd01h/64769d	Inode: 2149533348  Links: 2
Access: (0700/drwx------)  Uid: (  995/ toranon)   Gid: (  993/ toranon)
Context: system_u:object_r:tor_var_lib_t:s0
Access: 2016-09-29 20:27:11.660000000 +0200
Modify: 2016-09-29 03:48:02.273000000 +0200
Change: 2016-09-29 20:27:48.837000000 +0200
 Birth: -

Widening them instantly throws an error that they're too lose.

Version-Release number of selected component (if applicable):

tor-0.2.8.7-1.el7.x86_64

How reproducible:

Update from tor-0.2.7.6-5.el7.x86_64 to tor-0.2.8.7-1.el7.x86_64, restart, watch it fail.

Steps to Reproduce:

See above.

Actual results:

Tor does not start; error is [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied

Expected results:

Tor starting up w/o problem.

Additional info:

Comment 1 Michael S. 2016-10-02 18:19:11 UTC
No AVC in audit.log, or selinux error ?

Can you give the content of torrc ? 

I can't reproduce the error myself

Also, can you verify if the permission of /var/lib/tor, etc seems good enough ?

Comment 2 Michael S. 2016-10-02 18:33:42 UTC
So I was wrong, i can reproduce the issue.

That's likely a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1375369 but for epel7, can you verify the workaround I posted there and tell if that work for you ?

(here, it lead to more selinux issue, so I am trying to see if I did forgot something)

Comment 3 Timo Schoeler 2016-10-02 18:44:58 UTC
[user@tiger ~]$ sudo cat /etc/selinux/config 
[sudo] password for user: 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

[user@tiger ~]$ sestatus 
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

Comment 4 Michael S. 2016-10-02 18:53:01 UTC
So the issue is definitly linked to various systemd service change, and quite similar to 1375369 . But the fix there is not sufficient, and I can't find what capabilities is missing on EL7.

Comment 5 Michael S. 2016-10-02 18:56:04 UTC
In fact, I even suspect I have hit a bug in systemd:

# systemctl show tor.service |grep -i cap
CapabilityBoundingSet=1216
# cp fix_rh_1375369.conf /etc/systemd/system/tor.service.d/ 
# systemctl daemon-reload 
# systemctl show tor.service |grep -i cap
CapabilityBoundingSet=0

# cat fix_rh_1375369.conf
[Service]
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE


On a working system (on F24), the same file result into:

# systemctl show tor.service |grep Capability
CapabilityBoundingSet=1220

Comment 6 Michael S. 2016-10-02 19:06:20 UTC
Ok so this look like https://github.com/systemd/systemd/issues/1221

I am gonna open a bug report on systemd package, but so in the mean time, the workaround would be to add CapabilityBoundingSet=CAP_DAC_READ_SEARCH in the file in /usr/lib (or somethinglike this)

Comment 7 Michael S. 2016-10-02 19:13:20 UTC
So the systemd bug: https://bugzilla.redhat.com/show_bug.cgi?id=1381057

Now, I guess I just need to find a proven packager to get this fixed on fedora and epel for good in tor.

Comment 8 Fedora Update System 2016-10-02 22:22:43 UTC
tor-0.2.8.8-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-881d78edf2

Comment 9 Fedora Update System 2016-10-03 06:49:04 UTC
tor-0.2.8.8-1.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-69f1c1433b

Comment 10 Fedora Update System 2016-10-03 07:20:01 UTC
tor-0.2.8.8-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-877b55bdd7

Comment 11 Fedora Update System 2016-10-03 07:22:42 UTC
tor-0.2.8.8-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-1fce1e0993

Comment 12 Timo Schoeler 2016-10-04 07:16:34 UTC
I can confirm that https://kojipkgs.fedoraproject.org//packages/tor/0.2.8.8/1.el7/x86_64/tor-0.2.8.8-1.el7.x86_64.rpm fixes the problem on my machine. Thanks!

Comment 13 Fedora Update System 2016-10-04 18:49:56 UTC
tor-0.2.8.8-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2016-10-09 18:51:22 UTC
tor-0.2.8.8-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2016-10-13 02:53:51 UTC
tor-0.2.8.8-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2016-10-21 15:52:12 UTC
tor-0.2.8.8-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.