Changes

Page history
Apply conversion script to all *.md files. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
doc/OpenbsdChrootedTorScript.md
View page @ a1a4b621
[[TOC]]
* Copyright (c) 2005 tyranix
* Distributed under the X11 license
* See [wiki:doc/LegalStuff] for a full text
* See [doc/LegalStuff](doc/LegalStuff) for a full text
These scripts perform almost all of the steps involved in creating a chroot in OpenBSD for tor. It now includes all the configuration files you will need.
When a new version of tor is released, I run this script and copy my old '''/home/chrooted/tor/etc/tor/systrace''' directory over.
When a new version of tor is released, I run this script and copy my old **/home/chrooted/tor/etc/tor/systrace** directory over.
The systrace policies and updated rc.local are included here.
......@@ -27,13 +27,12 @@ Also, it would be nice if I could upload my chroot to some website so people can
=== Stage 1: Run as root ===
I hard coded the paths to '''/home/chrooted/tor''' on purpose. If this is ever converted into perl, then with the '''use strict;''' mode I would add the path as a parameter. Since the shell won't warn you if you have a typo, I try to use hard coded paths as much as possible.
I hard coded the paths to **/home/chrooted/tor** on purpose. If this is ever converted into perl, then with the **use strict;** mode I would add the path as a parameter. Since the shell won't warn you if you have a typo, I try to use hard coded paths as much as possible.
Be sure to change the '''TOR_BUILD_USER''' and '''TOR_BUILD_GROUP''' to your own user. This is who is building the source. The files themselves will later be owned by '''_tor''' or '''root''' depending on the file.
Be sure to change the **TOR_BUILD_USER** and **TOR_BUILD_GROUP** to your own user. This is who is building the source. The files themselves will later be owned by **_tor** or **root** depending on the file.
'''tor_stage1_root.sh'''
{{{
#!/bin/sh
**tor_stage1_root.sh**
```
# Fail on the first error (non-zero return value)
set -e -x
......@@ -116,7 +115,7 @@ cd /home/chrooted/tor/dev
echo "Stage 1: Done, please run Stage 2-3 next"
}}}
```
=== Stage 2: Run as the user ===
......@@ -126,9 +125,8 @@ Run this as the user you specified at the top of stage1.
There's really no reason to set this to use static linking.
It might go away in a future version.
'''tor_stage2_user.sh'''
{{{
#!/bin/sh
**tor_stage2_user.sh**
```
# Fail on the first non-zero return value
set -e -x
......@@ -244,16 +242,15 @@ echo "nameserver 127.0.0.1" >> /home/chrooted/tor/etc/resolv.conf
echo "Stage 2: Done, please run stage 3"
}}}
```
=== Stage 3: Run as root ===
Final stage. This sets up all of the permissions.
'''tor_stage3_root.sh'''
{{{
#!/bin/sh
**tor_stage3_root.sh**
```
set -e -x
......@@ -308,17 +305,17 @@ echo "Setup complete!"
echo "Don't forget to modify the privoxy configuration"
echo " and add systrace policies to the chroot"
}}}
```
= Configuration files =
# Configuration files
The systrace policy files should have leading tabs instead of spaces!
==== /etc/rc.local ====
'''/etc/rc.local'''
**/etc/rc.local**
{{{
```
# $OpenBSD: rc.local,v 1.38 2005/03/29 21:41:59 uwe Exp $
# site-specific startup actions, daemons, and other things which
......@@ -384,12 +381,12 @@ if [ -f /opt/dsocks-1.3/tor-dns-proxy.py ]; then
/bin/systrace -a -c 32767:32767 -d /home/chrooted/tor/etc/tor/systrace /usr/local/bin/python2.4 /opt/dsocks-1.3/tor-dns-proxy.py >/dev/null 2>&1 &
fi
}}}
```
==== /home/chrooted/tor/etc/tor/systrace/bin_tor ====
'''/home/chrooted/tor/etc/tor/systrace/bin_tor'''
{{{
**/home/chrooted/tor/etc/tor/systrace/bin_tor**
```
Policy: /bin/tor, Emulation: native
native-__sysctl: permit
native-kqueue: permit
......@@ -500,15 +497,15 @@ Policy: /bin/tor, Emulation: native
# Match ports 10000 - 65535
native-connect: sockaddr re "inet-.*:[1-9][0-9]{4}$" then permit
}}}
```
==== /home/chrooted/tor/etc/tor/systrace/usr_local_bin_python2.4 ====
This systrace policy is configured for python to only execute dsocks' python script.
'''/home/chrooted/tor/etc/tor/systrace/usr_local_bin_python2.4'''
**/home/chrooted/tor/etc/tor/systrace/usr_local_bin_python2.4**
{{{
```
Policy: /usr/local/bin/python2.4, Emulation: native
native-issetugid: permit
native-__sysctl: permit
......@@ -590,13 +587,13 @@ Policy: /usr/local/bin/python2.4, Emulation: native
native-setgid: gid eq "32767" then permit
native-setuid: uid eq "32767" and uname eq "nobody" then permit
}}}
```
==== /home/chrooted/tor/etc/tor/systrace/usr_local_sbin_privoxy ====
'''/home/chrooted/tor/etc/tor/systrace/usr_local_sbin_privoxy'''
**/home/chrooted/tor/etc/tor/systrace/usr_local_sbin_privoxy**
{{{
```
Policy: /usr/local/sbin/privoxy, Emulation: native
native-issetugid: permit
native-mprotect: permit
......@@ -658,12 +655,12 @@ Policy: /usr/local/sbin/privoxy, Emulation: native
native-clock_gettime: permit
native-sigreturn: permit
}}}
```
==== /home/chrooted/tor/etc/tor/systrace/usr_sbin_chroot ====
'''/home/chrooted/tor/etc/tor/systrace/usr_sbin_chroot'''
{{{
**/home/chrooted/tor/etc/tor/systrace/usr_sbin_chroot**
```
Policy: /usr/sbin/chroot, Emulation: native
native-__sysctl: permit
native-issetugid: permit
......@@ -688,13 +685,13 @@ Policy: /usr/sbin/chroot, Emulation: native
native-setuid: uid eq "1001" and uname eq "_tor" then permit
native-execve: filename eq "/bin/tor" and argv eq "/bin/tor -f /etc/tor/torrc" then permit
}}}
```
==== /etc/privoxy/config ====
Changes: disable cookie file, pass traffic to Tor, and disable logging every URL request (unfortunately that's the default).
'''/etc/privoxy/config'''
**/etc/privoxy/config**
{{{
# Sample Configuration File for Privoxy v3.0.x
#
......
......