|
|
|
[[span(style=color:red,This page is several years old and contains outdated information, refer to the [https://www.torproject.org/docs/debian.html.en debian manual] or how to [https://www.torproject.org/docs/tor-doc-unix.html.en install Tor from source] instead.)]]
|
|
|
|
|
|
|
|
[[TOC]]
|
|
|
|
This document describes setting up Tor in a linux chroot environment.
|
|
|
|
It has been tested with:
|
|
|
|
* [http://www.debian.org/ Debian] Lenny and Tor 0.2.0.35
|
|
|
|
* [http://www.archlinux.org/ Archlinux] (initscripts - obsolete) 2009.02 and Tor 0.2.0.35
|
|
|
|
* [http://www.archlinux.org/ Archlinux] (Systemd) and Kernel 3.10.3-1-ARCH 2013 x86_64 and Tor v0.2.3.25
|
|
|
|
* [http://www.linuxmint.com Linux Mint] 9 (Ubuntu 10.04) and Tor 0.2.2.35
|
|
|
|
* [https://www.centos.org/ CentOS] 6.4 x86_64 and Tor v0.2.3.25
|
|
|
|
but should work on any linux distribution.
|
|
|
|
|
|
|
|
It will explain the compilation, installation and configuration of Tor on a linux-system. It will result in a Tor-Installation which will be run in a chroot-environment by the special user '''tor'''. The homefolder of this user will be '''/home/tor''' and the path of the chroot-environment will be '''/home/tor/chroot'''. Tor itself will be installed to '''/home/tor/chroot/tor''' and its configuration-file will be in '''/home/tor/chroot/tor/etc/tor/torrc'''.
|
|
|
|
|
|
|
|
This so installed Tor will be able to work as a Tor-client and/or server.
|
|
|
|
|
|
|
|
= Installation =
|
|
|
|
First you need to get a copy of the latest [http://www.torproject.org/download-unix.html.en Source tarballs of Tor] and unpack it:
|
|
|
|
{{{
|
|
|
|
wget http://www.torproject.org/dist/tor-0.2.0.35.tar.gz.asc
|
|
|
|
wget http://www.torproject.org/dist/tor-0.2.0.35.tar.gz
|
|
|
|
gpg tor-0.2.0.35.tar.gz.asc
|
|
|
|
tar -xzvf tor-0.2.0.35.tar.gz
|
|
|
|
}}}
|
|
|
|
Now you can configure and compile it:
|
|
|
|
{{{
|
|
|
|
cd tor-0.2.0.35
|
|
|
|
./configure --prefix=/tor
|
|
|
|
make
|
|
|
|
}}}
|
|
|
|
Next you should create a special user which will later run the tor process. On debian or debian-based distributions you can create the user with:
|
|
|
|
{{{
|
|
|
|
sudo adduser --disabled-login --gecos "Tor user,,," tor
|
|
|
|
}}}
|
|
|
|
On other distributions with other adduser implementations the above could fail. If so you can take a look at the man-page of your adduser command or use the low-level useradd command to create it:
|
|
|
|
{{{
|
|
|
|
sudo useradd -d /home/tor -s /bin/false tor
|
|
|
|
}}}
|
|
|
|
After that we move the compiled tor-version to the chroot-directory:
|
|
|
|
{{{
|
|
|
|
TORCHROOT=/home/tor/chroot
|
|
|
|
sudo mkdir -p $TORCHROOT
|
|
|
|
sudo make install prefix=$TORCHROOT/tor exec_prefix=$TORCHROOT/tor
|
|
|
|
}}}
|
|
|
|
|
|
|
|
= Chroot-Setup =
|
|
|
|
|
|
|
|
== Shared libraries ==
|
|
|
|
We need to copy all libraries which tor needs into the chroot-environment. Tor needs libevent which might be available in your distribution with the packages: libevent1 and libevent-dev or just libevent. If it's not available for your distribution compile it from source: http://www.monkey.org/~provos/libevent/ . If you have the libevent go on to copy over the required libraries:
|
|
|
|
{{{
|
|
|
|
sudo mkdir $TORCHROOT/lib
|
|
|
|
sudo cp `ldd $TORCHROOT/tor/bin/tor | awk '{print $3}'|grep "^/"` $TORCHROOT/lib
|
|
|
|
sudo cp /lib/libnss* /lib/libnsl* /lib/ld-linux.so.2 /lib/libresolv* /usr/lib/libnss3.so /usr/lib/libgcc_s.so.* $TORCHROOT/lib
|
|
|
|
}}}
|
|
|
|
On Ubuntu libgcc_s.so.1 is in /lib and depending on your hardware architecture ld-linux.so.2 may be ld-linux-x86-64.so.2 in /lib64
|
|
|
|
{{{
|
|
|
|
sudo cp /lib/libgcc_s.so.* $TORCHROOT/lib
|
|
|
|
sudo mkdir $TORCHROOT/lib64
|
|
|
|
sudo cp /lib64/ld-linux-x86-64.so.2 $TORCHROOT/lib64/
|
|
|
|
}}}
|
|
|
|
|
|
|
|
== Device nodes ==
|
|
|
|
Tor needs access to `/dev/(u)random` and `/dev/null` if run as a daemon so you need to create them in the chroot-environment:
|
|
|
|
{{{
|
|
|
|
sudo mkdir $TORCHROOT/dev
|
|
|
|
sudo mknod -m 644 $TORCHROOT/dev/random c 1 8
|
|
|
|
sudo mknod -m 644 $TORCHROOT/dev/urandom c 1 9
|
|
|
|
sudo mknod -m 666 $TORCHROOT/dev/null c 1 3
|
|
|
|
}}}
|
|
|
|
|
|
|
|
|
|
|
|
== Configuration files ==
|
|
|
|
Now some files which are needed by some functions are copied into the chroot-environment:
|
|
|
|
{{{
|
|
|
|
sudo mkdir $TORCHROOT/etc
|
|
|
|
sudo sh -c "grep ^tor /etc/passwd > $TORCHROOT/etc/passwd"
|
|
|
|
sudo sh -c "grep ^tor /etc/group > $TORCHROOT/etc/group"
|
|
|
|
sudo cp /etc/nsswitch.conf /etc/host.conf /etc/resolv.conf /etc/hosts $TORCHROOT/etc
|
|
|
|
sudo cp /etc/localtime $TORCHROOT/etc
|
|
|
|
}}}
|
|
|
|
== Tor-Configration ==
|
|
|
|
We need to copy a tor-configuration-skeleton on its place in the chroot:
|
|
|
|
{{{
|
|
|
|
sudo cp $TORCHROOT/tor/etc/tor/torrc.sample $TORCHROOT/tor/etc/tor/torrc
|
|
|
|
}}}
|
|
|
|
(Tor will look for this file in various places based on your platform: https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#torrc)
|
|
|
|
|
|
|
|
Since chroot needs to be run as root, but Tor does not we configure Tor to drop its privileges after start. With adding the following line into the '''$TORCHROOT/tor/etc/tor/torrc''' file:
|
|
|
|
{{{
|
|
|
|
User tor
|
|
|
|
}}}
|
|
|
|
we tell Tor to drop its privileges to the user with the name tor. We also have to enable the data-directory explicitly:
|
|
|
|
{{{
|
|
|
|
DataDirectory /var/lib/tor2
|
|
|
|
}}}
|
|
|
|
tell Tor where to look for 'geoip' for ip-to-country lookups:
|
|
|
|
{{{
|
|
|
|
GeoIPFile /tor/share/tor/geoip
|
|
|
|
}}}
|
|
|
|
and should configure the Pid-and Log-file:
|
|
|
|
{{{
|
|
|
|
PidFile /var/run/tor/tor.pid
|
|
|
|
Log notice file /var/log/tor/log
|
|
|
|
}}}
|
|
|
|
These directories need to be created and owned by the user who shall run Tor:
|
|
|
|
{{{
|
|
|
|
sudo mkdir -p $TORCHROOT/var/run/tor
|
|
|
|
sudo mkdir -p $TORCHROOT/var/lib/tor
|
|
|
|
sudo mkdir -p $TORCHROOT/var/lib/tor2
|
|
|
|
sudo mkdir -p $TORCHROOT/var/log/tor
|
|
|
|
sudo chown tor:tor $TORCHROOT/var/run/tor
|
|
|
|
sudo chown tor:tor $TORCHROOT/var/lib/tor
|
|
|
|
sudo chown tor:tor $TORCHROOT/var/lib/tor2
|
|
|
|
sudo chown tor:tor $TORCHROOT/var/log/tor
|
|
|
|
}}}
|
|
|
|
|
|
|
|
= Testing =
|
|
|
|
You are now ready with setting up a Tor-Installation in a chroot environment and can start that tor-instance with:
|
|
|
|
{{{
|
|
|
|
sudo chroot $TORCHROOT /tor/bin/tor
|
|
|
|
}}}
|
|
|
|
This should produce the following output:
|
|
|
|
{{{
|
|
|
|
Apr 10 11:42:22.466 [notice] Tor v0.2.0.35 . This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686)
|
|
|
|
Apr 10 11:42:22.477 [notice] Initialized libevent version 1.4.8-stable using method epoll. Good.
|
|
|
|
Apr 10 11:42:22.479 [notice] Opening Socks listener on 127.0.0.1:9050
|
|
|
|
}}}
|
|
|
|
|
|
|
|
You can abort it now again with pressing CTRL+c on your keyboard. As last advice you should add:
|
|
|
|
{{{
|
|
|
|
RunAsDaemon 1
|
|
|
|
}}}
|
|
|
|
to your Tor-configuration. This is specially needed by some of the following init-Scripts.
|
|
|
|
|
|
|
|
You are now finished and can configure your tor-chroot installation in the file '''/home/tor/chroot/tor/etc/tor/torrc''' like setting it up as a relay and so..
|
|
|
|
|
|
|
|
= Starting on boot =
|
|
|
|
|
|
|
|
This part is quite distribution specific, but modifications to the given init-scripts should be applicable to other Linux distributions
|
|
|
|
and *nix operating systems.
|
|
|
|
|
|
|
|
Here are init-scripts which allow it easily to start the tor-chroot installation on boot.
|
|
|
|
|
|
|
|
== Archlinux ==
|
|
|
|
See the following article for a quick and easy setup in ArchLinux: https://wiki.archlinux.org/index.php?title=Tor
|
|
|
|
|
|
|
|
'''The below guide for ArchLinux is outdated; ArchLinux no longer uses initscripts and now uses systemd'''
|
|
|
|
'''More info here: '''https://www.archlinux.org/news/end-of-initscripts-support
|
|
|
|
|
|
|
|
Move the following file to '''/etc/rc.d/''' and give it a name you like, e.g.: ''tor-chroot''. After that you can start and stop tor with:
|
|
|
|
{{{
|
|
|
|
sudo /etc/rc.d/tor-chroot start|stop|restart
|
|
|
|
}}}
|
|
|
|
|
|
|
|
To make it autostart on boottime add tor-chroot to the DAEMONS list in your '''/etc/rc.conf'''.
|
|
|
|
|
|
|
|
__Init-Script__:
|
|
|
|
{{{
|
|
|
|
#!/bin/bash
|
|
|
|
|
|
|
|
. /etc/rc.conf
|
|
|
|
. /etc/rc.d/functions
|
|
|
|
|
|
|
|
TORCHROOT=/home/tor/chroot
|
|
|
|
# Relative to TORCHROOT:
|
|
|
|
TORPATH=/tor/bin/tor
|
|
|
|
|
|
|
|
|
|
|
|
PID=`pidof -o %PPID $TORPATH`
|
|
|
|
case "$1" in
|
|
|
|
start)
|
|
|
|
stat_busy "Starting Tor Daemon"
|
|
|
|
[ -z "$PID" ] && /usr/sbin/chroot $TORCHROOT $TORPATH &>/dev/null
|
|
|
|
if [ $? -gt 0 ]; then
|
|
|
|
stat_fail
|
|
|
|
else
|
|
|
|
add_daemon tor
|
|
|
|
stat_done
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
stop)
|
|
|
|
stat_busy "Stopping Tor Daemon"
|
|
|
|
[ ! -z "$PID" ] && kill $PID &> /dev/null
|
|
|
|
if [ $? -gt 0 ]; then
|
|
|
|
stat_fail
|
|
|
|
else
|
|
|
|
rm_daemon tor
|
|
|
|
stat_done
|
|
|
|
fi
|
|
|
|
;;
|
|
|
|
restart)
|
|
|
|
$0 stop
|
|
|
|
sleep 3
|
|
|
|
$0 start
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
echo "usage: $0 {start|stop|restart}"
|
|
|
|
esac
|
|
|
|
exit 0
|
|
|
|
# vim: ft=sh ts=2 sw=2
|
|
|
|
|
|
|
|
}}}
|
|
|
|
|
|
|
|
== CentOS 6.4 x86_64 Chroot Setup ==
|
|
|
|
Install tor from the repos:
|
|
|
|
{{{
|
|
|
|
yum install tor
|
|
|
|
}}}
|
|
|
|
|
|
|
|
Use the following script to setup the chroot (for browser mode):
|
|
|
|
{{{
|
|
|
|
#!/bin/bash
|
|
|
|
# modified from: https://wiki.archlinux.org/index.php?title=Tor
|
|
|
|
export TORCHROOT=/opt/torchroot
|
|
|
|
|
|
|
|
mkdir -p $TORCHROOT
|
|
|
|
mkdir -p $TORCHROOT/etc/tor
|
|
|
|
mkdir -p $TORCHROOT/dev
|
|
|
|
mkdir -p $TORCHROOT/usr/bin
|
|
|
|
mkdir -p $TORCHROOT/usr/lib64
|
|
|
|
mkdir -p $TORCHROOT/var/lib
|
|
|
|
|
|
|
|
cp /etc/hosts $TORCHROOT/etc/
|
|
|
|
cp /etc/host.conf $TORCHROOT/etc/
|
|
|
|
cp /etc/localtime $TORCHROOT/etc/
|
|
|
|
cp /etc/nsswitch.conf $TORCHROOT/etc/
|
|
|
|
cp /etc/resolv.conf $TORCHROOT/etc/
|
|
|
|
cp /etc/tor/torrc $TORCHROOT/etc/tor/
|
|
|
|
sed -i 's/^#*\(DataDirectory \/var\/lib\/tor\)/\1/g' $TORCHROOT/etc/tor/torrc
|
|
|
|
|
|
|
|
cp /usr/bin/tor $TORCHROOT/usr/bin/
|
|
|
|
|
|
|
|
ln -s /usr/lib64 $TORCHROOT/lib64
|
|
|
|
for F in $(ldd -r /usr/bin/tor | awk '{print $3}'|grep --color=never "^/" | sed 's/^.*\(\/lib[0-9]*\/[a-z]*\).*/\/usr\1*/g'); do /bin/cp -f ${F} $TORCHROOT/${F%/*}/. ; done
|
|
|
|
|
|
|
|
/bin/cp -f /lib64/libgcc_s.so* /lib64/ld-linux-x86-64.so* /lib64/libnss* /lib64/libnsl* /lib64/libresolv* $TORCHROOT/lib64/
|
|
|
|
/bin/cp -f /usr/lib64/libgcc_s.so* /usr/lib64/ld-linux-x86-64.so* /usr/lib64/libnss* /usr/lib64/libnsl* /usr/lib64/libresolv* $TORCHROOT/usr/lib64/
|
|
|
|
/bin/cp -f /usr/lib64/libssl* /usr/lib64/libcrypto* /usr/lib64/libevent* $TORCHROOT/usr/lib64/
|
|
|
|
|
|
|
|
cp -r /var/lib/tor $TORCHROOT/var/lib/
|
|
|
|
chown -R toranon:toranon $TORCHROOT/var/lib/tor
|
|
|
|
|
|
|
|
sh -c "grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd"
|
|
|
|
sh -c "grep --color=never ^tor /etc/group > $TORCHROOT/etc/group"
|
|
|
|
|
|
|
|
mknod -m 644 $TORCHROOT/dev/random c 1 8
|
|
|
|
mknod -m 644 $TORCHROOT/dev/urandom c 1 9
|
|
|
|
mknod -m 666 $TORCHROOT/dev/null c 1 3
|
|
|
|
}}}
|
|
|
|
|
|
|
|
Execute in the chroot environment with:
|
|
|
|
{{{
|
|
|
|
chroot --userspec=toranon:toranon /opt/torchroot /usr/bin/tor
|
|
|
|
}}}
|
|
|
|
|
|
|
|
== Debian ==
|
|
|
|
This downloads some modifications to Debian's official Tor init script and a small wrapper which will perform the chroot. The scripts are not on the wiki so that they are not maliciously modified:
|
|
|
|
{{{
|
|
|
|
sudo wget -O /etc/init.d/tor http://www.cl.cam.ac.uk/users/sjm217/projects/tor/tor.init
|
|
|
|
sudo wget -O /etc/default/tor http://www.cl.cam.ac.uk/users/sjm217/projects/tor/tor.default
|
|
|
|
sudo wget -O $TORCHROOT/tor/bin/tor-chroot http://www.cl.cam.ac.uk/users/sjm217/projects/tor/tor-chroot
|
|
|
|
sudo chmod 755 /etc/init.d/tor /etc/default/tor $TORCHROOT/tor/bin/tor-chroot
|
|
|
|
}}}
|
|
|
|
After that you can start and stop tor with:
|
|
|
|
{{{
|
|
|
|
sudo /etc/init.d/tor start|stop|restart|reload|force-reload
|
|
|
|
}}}
|
|
|
|
Running `update-rc.d` will set up the start and stop links in the correct runlevel directories to make it autostart while booting:
|
|
|
|
{{{
|
|
|
|
sudo update-rc.d tor defaults 19
|
|
|
|
}}}
|
|
|
|
|
|
|
|
= Updating Tor =
|
|
|
|
If a new version of Tor is released and you want to update your Tor-Installation in the chroot just do the following. Download the new version and unpack it. After that you need to configure it the same way you did with the first installation and compile it:
|
|
|
|
{{{
|
|
|
|
./configure --prefix=/tor
|
|
|
|
make
|
|
|
|
}}}
|
|
|
|
And now you just have to install it to the correct place:
|
|
|
|
{{{
|
|
|
|
TORCHROOT=/home/tor/chroot
|
|
|
|
sudo make install prefix=$TORCHROOT/tor exec_prefix=$TORCHROOT/tor
|
|
|
|
}}}
|
|
|
|
That's it.
|
|
|
|
= Final Notes =
|
|
|
|
* Presumably `torify` will be run outside of the chroot, but its config file location is set to be relative to the chroot by .`/configure`. I can't think of any neat way to fix this.
|
|
|
|
|
|
|
|
* The library situation is a bit fragile. There may be some other libraries, like `libnss_compat` which don't show up in `ldd` but are required. The above has been tested for running as client and server and should work with them for the given tor-version. Later tor-versions may need other files and libraries.
|
|
|
|
|
|
|
|
* If you put shared libraries outside of `/lib` and `/usr/lib` you need to set `LD_LIBRARY_PATH`, but sudo drops the `LD*` environment variables for security reasons. If you want to put libraries in, say `/tor/lib`, you need something like: `sudo su -c "export LD_LIBRARY_PATH=/tor/lib; chroot $TORCHROOT /local/bin/tor"`
|
|
|
|
|
|
|
|
* An alternate approach to `LD_LIBRARY_PATH` for configuring non-default library locations is to setup `etc/ld.so.conf` and `etc/ld.so.conf.d` in the `chroot` tree, include `sbin/ldconfig` and run `chroot $TORCHROOT /sbin/ldconfig -v` in order to generate `etc/ld.so.cache`. The dynamic linker `ld-linux.so` utilizes `ld.so.cache` for locating libraries. This is helpful when `tor` is built from source then installed under `/usr/local` and a desire to mimic the locations of parent system files in the `chroot` tree exists.
|
|
|
|
|
|
|
|
* Minimalists may observe via `lsof` that `libgcc_s.so.1` is not loaded in the active `tor` program image and be tempted to omit it, but note that this library is dynamically loaded by `pthread_exit()` from `libpthread.so` when `tor` rotates keys and restarts once each week. Without `libgcc_s.so.1` the `tor` process may terminate with `SIGABRT` and the relay state may be lost. Successful operation is tested by issuing `pkill -HUP tor` when `tor` is running to induce an immediate restart.
|
|
|
|
|
|
|
|
* On http://northernsecurity.net/download/ ([http://web.archive.org/web/20100107124355/http://northernsecurity.net/download/ archive]) you can find some ready-to-go scripts to install tor in a chroot-environment, which have been claimed to have been tested working on Ubuntu Hardy.
|
|
|
|
|
|
|
|
* On http://github.com/blom/tor-chroot-al there are scripts to Chroot Tor on Arch Linux |
|
|
|
\ No newline at end of file |