|
|
[[TOC]]
|
|
|
|
|
|
|
|
|
* Copyright (c) 2005 tyranix
|
|
|
* Distributed under the X11 license
|
|
|
* See [wiki:doc/LegalStuff] for a full text
|
|
|
* See [doc/LegalStuff](doc/LegalStuff) for a full text
|
|
|
|
|
|
|
|
|
These scripts perform almost all of the steps involved in creating a chroot in OpenBSD for tor. It now includes all the configuration files you will need.
|
|
|
|
|
|
When a new version of tor is released, I run this script and copy my old '''/home/chrooted/tor/etc/tor/systrace''' directory over.
|
|
|
When a new version of tor is released, I run this script and copy my old **/home/chrooted/tor/etc/tor/systrace** directory over.
|
|
|
|
|
|
The systrace policies and updated rc.local are included here.
|
|
|
|
... | ... | @@ -27,13 +27,12 @@ Also, it would be nice if I could upload my chroot to some website so people can |
|
|
|
|
|
=== Stage 1: Run as root ===
|
|
|
|
|
|
I hard coded the paths to '''/home/chrooted/tor''' on purpose. If this is ever converted into perl, then with the '''use strict;''' mode I would add the path as a parameter. Since the shell won't warn you if you have a typo, I try to use hard coded paths as much as possible.
|
|
|
I hard coded the paths to **/home/chrooted/tor** on purpose. If this is ever converted into perl, then with the **use strict;** mode I would add the path as a parameter. Since the shell won't warn you if you have a typo, I try to use hard coded paths as much as possible.
|
|
|
|
|
|
Be sure to change the '''TOR_BUILD_USER''' and '''TOR_BUILD_GROUP''' to your own user. This is who is building the source. The files themselves will later be owned by '''_tor''' or '''root''' depending on the file.
|
|
|
Be sure to change the **TOR_BUILD_USER** and **TOR_BUILD_GROUP** to your own user. This is who is building the source. The files themselves will later be owned by **_tor** or **root** depending on the file.
|
|
|
|
|
|
'''tor_stage1_root.sh'''
|
|
|
{{{
|
|
|
#!/bin/sh
|
|
|
**tor_stage1_root.sh**
|
|
|
```
|
|
|
|
|
|
# Fail on the first error (non-zero return value)
|
|
|
set -e -x
|
... | ... | @@ -116,7 +115,7 @@ cd /home/chrooted/tor/dev |
|
|
|
|
|
|
|
|
echo "Stage 1: Done, please run Stage 2-3 next"
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
|
|
|
=== Stage 2: Run as the user ===
|
... | ... | @@ -126,9 +125,8 @@ Run this as the user you specified at the top of stage1. |
|
|
There's really no reason to set this to use static linking.
|
|
|
It might go away in a future version.
|
|
|
|
|
|
'''tor_stage2_user.sh'''
|
|
|
{{{
|
|
|
#!/bin/sh
|
|
|
**tor_stage2_user.sh**
|
|
|
```
|
|
|
|
|
|
# Fail on the first non-zero return value
|
|
|
set -e -x
|
... | ... | @@ -244,16 +242,15 @@ echo "nameserver 127.0.0.1" >> /home/chrooted/tor/etc/resolv.conf |
|
|
|
|
|
echo "Stage 2: Done, please run stage 3"
|
|
|
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
|
|
|
=== Stage 3: Run as root ===
|
|
|
|
|
|
Final stage. This sets up all of the permissions.
|
|
|
|
|
|
'''tor_stage3_root.sh'''
|
|
|
{{{
|
|
|
#!/bin/sh
|
|
|
**tor_stage3_root.sh**
|
|
|
```
|
|
|
|
|
|
set -e -x
|
|
|
|
... | ... | @@ -308,17 +305,17 @@ echo "Setup complete!" |
|
|
echo "Don't forget to modify the privoxy configuration"
|
|
|
echo " and add systrace policies to the chroot"
|
|
|
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
= Configuration files =
|
|
|
# Configuration files
|
|
|
|
|
|
The systrace policy files should have leading tabs instead of spaces!
|
|
|
|
|
|
==== /etc/rc.local ====
|
|
|
|
|
|
'''/etc/rc.local'''
|
|
|
**/etc/rc.local**
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
# $OpenBSD: rc.local,v 1.38 2005/03/29 21:41:59 uwe Exp $
|
|
|
|
|
|
# site-specific startup actions, daemons, and other things which
|
... | ... | @@ -384,12 +381,12 @@ if [ -f /opt/dsocks-1.3/tor-dns-proxy.py ]; then |
|
|
/bin/systrace -a -c 32767:32767 -d /home/chrooted/tor/etc/tor/systrace /usr/local/bin/python2.4 /opt/dsocks-1.3/tor-dns-proxy.py >/dev/null 2>&1 &
|
|
|
fi
|
|
|
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
==== /home/chrooted/tor/etc/tor/systrace/bin_tor ====
|
|
|
|
|
|
'''/home/chrooted/tor/etc/tor/systrace/bin_tor'''
|
|
|
{{{
|
|
|
**/home/chrooted/tor/etc/tor/systrace/bin_tor**
|
|
|
```
|
|
|
Policy: /bin/tor, Emulation: native
|
|
|
native-__sysctl: permit
|
|
|
native-kqueue: permit
|
... | ... | @@ -500,15 +497,15 @@ Policy: /bin/tor, Emulation: native |
|
|
# Match ports 10000 - 65535
|
|
|
native-connect: sockaddr re "inet-.*:[1-9][0-9]{4}$" then permit
|
|
|
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
==== /home/chrooted/tor/etc/tor/systrace/usr_local_bin_python2.4 ====
|
|
|
|
|
|
This systrace policy is configured for python to only execute dsocks' python script.
|
|
|
|
|
|
'''/home/chrooted/tor/etc/tor/systrace/usr_local_bin_python2.4'''
|
|
|
**/home/chrooted/tor/etc/tor/systrace/usr_local_bin_python2.4**
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
Policy: /usr/local/bin/python2.4, Emulation: native
|
|
|
native-issetugid: permit
|
|
|
native-__sysctl: permit
|
... | ... | @@ -590,13 +587,13 @@ Policy: /usr/local/bin/python2.4, Emulation: native |
|
|
native-setgid: gid eq "32767" then permit
|
|
|
native-setuid: uid eq "32767" and uname eq "nobody" then permit
|
|
|
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
==== /home/chrooted/tor/etc/tor/systrace/usr_local_sbin_privoxy ====
|
|
|
|
|
|
'''/home/chrooted/tor/etc/tor/systrace/usr_local_sbin_privoxy'''
|
|
|
**/home/chrooted/tor/etc/tor/systrace/usr_local_sbin_privoxy**
|
|
|
|
|
|
{{{
|
|
|
```
|
|
|
Policy: /usr/local/sbin/privoxy, Emulation: native
|
|
|
native-issetugid: permit
|
|
|
native-mprotect: permit
|
... | ... | @@ -658,12 +655,12 @@ Policy: /usr/local/sbin/privoxy, Emulation: native |
|
|
native-clock_gettime: permit
|
|
|
native-sigreturn: permit
|
|
|
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
==== /home/chrooted/tor/etc/tor/systrace/usr_sbin_chroot ====
|
|
|
|
|
|
'''/home/chrooted/tor/etc/tor/systrace/usr_sbin_chroot'''
|
|
|
{{{
|
|
|
**/home/chrooted/tor/etc/tor/systrace/usr_sbin_chroot**
|
|
|
```
|
|
|
Policy: /usr/sbin/chroot, Emulation: native
|
|
|
native-__sysctl: permit
|
|
|
native-issetugid: permit
|
... | ... | @@ -688,13 +685,13 @@ Policy: /usr/sbin/chroot, Emulation: native |
|
|
native-setuid: uid eq "1001" and uname eq "_tor" then permit
|
|
|
native-execve: filename eq "/bin/tor" and argv eq "/bin/tor -f /etc/tor/torrc" then permit
|
|
|
|
|
|
}}}
|
|
|
```
|
|
|
|
|
|
==== /etc/privoxy/config ====
|
|
|
|
|
|
Changes: disable cookie file, pass traffic to Tor, and disable logging every URL request (unfortunately that's the default).
|
|
|
|
|
|
'''/etc/privoxy/config'''
|
|
|
**/etc/privoxy/config**
|
|
|
{{{
|
|
|
# Sample Configuration File for Privoxy v3.0.x
|
|
|
#
|
... | ... | |