sks-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sks-devel] [OT] Any Tor experts here?

From: Danny Horne
Subject: Re: [Sks-devel] [OT] Any Tor experts here?
Date: Mon, 29 Aug 2016 21:14:44 +0100
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 
On 29/08/2016 8:50 pm, Daniel Kahn Gillmor wrote:
> Hi Danny--
>
> On Mon 2016-08-29 15:00:50 -0400, Danny Horne wrote:
>
> what are the permissions on /var/lib/tor/hidden_service/sks ?  On a
> debian system, those directories should probably be owned by the
> debian-tor user account.  It probably depends on what User is specified
> in torrc or how tor is compiled.

Chmod 700, Chown toranon:toranon
>> Here's the relevant bit of /etc/tor/torrc
>>
>> HiddenServiceDir /var/lib/tor/hidden_service/sks/
>> HiddenServicePort 80 164.132.220.24:80
>> HiddenServicePort 11371 164.132.220.24:11371
> Just to be clear, i hope this is pointing at the reverse HTTP proxy.  we
> don't recomend offering direct SKS access to the public network:
>
>   https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering
That's correct, here's the relevant bit of my sksconf

hostname:       sks.lockmail.net
hkp_port:       11371
recon_port:     11370

recon_address:  164.132.220.24 2001:41d0:1:f41f:24::1
hkp_address:    127.0.0.1 ::1

>> When using this command (as root) it creates the necessary files and
>> runs, but won't run under systemd
>>
>> /usr/bin/tor --runasdaemon 0 --defaults-torrc
>> /usr/share/tor/defaults-torrc -f /etc/tor/torrc
>>
>> Here's a few links whose solutions I tried (without success)
>>
>> http://superuser.com/questions/998850/tor-hidden-service-settings-failing-to-allow-tor-service-to-start-on-centos-fedo
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1279222
> you don't mention what your systemd service file looks like, or what
> operating sytsem you're using.  On debian, tor runs via a systemd
> generator, but you can control the default system-wide tor service with:
>
>   systemctl status address@hidden
>   systemctl start address@hidden
>   systemctl stop address@hidden

Running Fedora 24

Here's my complete tor.service

[Unit]
Description=Anonymizing overlay network for TCP
After=syslog.target network.target nss-lookup.target
PartOf=tor-master.service
ReloadPropagatedFrom=tor-master.service

[Service]
Type=notify
NotifyAccess=all
ExecStartPre=/usr/bin/tor --runasdaemon 0 --defaults-torrc
/usr/share/tor/defaults-torrc -f /etc/tor/torrc --verify-config
ExecStart=/usr/bin/tor --runasdaemon 0 --defaults-torrc
/usr/share/tor/defaults-torrc -f /etc/tor/torrc
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutSec=30
Restart=on-failure
RestartSec=1
WatchdogSec=1m
LimitNOFILE=32768

# Hardening
PrivateTmp=yes
DeviceAllow=/dev/null rw
DeviceAllow=/dev/urandom r
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/run
ReadOnlyDirectories=/var
ReadWriteDirectories=/run/tor
ReadWriteDirectories=/var/lib/tor
ReadWriteDirectories=/var/log/tor
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
PermissionsStartOnly=yes

[Install]
WantedBy = multi-user.target

SELinux is running in permissive mode
> etc.  Please write back to the list if you have more details you want to
> share.  Thanks for offering sks over tor!
>
> hth,
>
>         --dkg

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]