Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-09 Thread aexlfowley 
> On 07/09/2015 03:24 PM, aexlfowley at web.de wrote:
>> Correct. I edited /lib/systemd/system/tor.service and added
>>   ReadWriteDirectories=-/media/cRAID/Tor
>> and now 0.2.6.9 is running.
>> I'm not entirely sure how to create my own
>> /etc/systemd/system/tor.service so I leave it at that.
>> (Trying out 'systemctl edit' I get "Unknown operation 'edit'." BTW.)
> 
> Just copy the /lib/systemd/system/tor.service file to
> /etc/systemd/system and edit it there -- it will take precedence over
> the one in /lib . You don't want to edit the one in /lib directly, since
> it is meant to be for distribution files that can/should be replaced on
> upgrades.

> Moritz Bartl wrote (09 Jul 2015 14:21:26 GMT) :
>> Just copy the /lib/systemd/system/tor.service file to
>> /etc/systemd/system and edit it there -- it will take precedence over
>> the one in /lib . You don't want to edit the one in /lib directly, since
>> it is meant to be for distribution files that can/should be replaced on
>> upgrades.
> 
> Right. And even better: using drop-in override files would avoid
> having to maintain a local forked copy of the unit file. Look for
> ".conf" in systemd.unit(5).
> 
> Cheers,
> --
> intrigeri

Okay, so I created /etc/systemd/system/tor.service.d/directory.conf
containing
  [Service]
  ReadWriteDirectories=/media/cRAID/Tor

Thanks again. And sorry for the noise.
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-09 Thread Nick Mathewson 
On Thu, Jul 9, 2015 at 11:44 AM, intrigeri  wrote:
> Moritz Bartl wrote (09 Jul 2015 14:21:26 GMT) :
>> Just copy the /lib/systemd/system/tor.service file to
>> /etc/systemd/system and edit it there -- it will take precedence over
>> the one in /lib . You don't want to edit the one in /lib directly, since
>> it is meant to be for distribution files that can/should be replaced on
>> upgrades.
>
> Right. And even better: using drop-in override files would avoid
> having to maintain a local forked copy of the unit file. Look for
> ".conf" in systemd.unit(5).

If this one turned out to be NotABug, could somebody close the ticket
mentioned in the subject line?
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-09 Thread intrigeri 
Moritz Bartl wrote (09 Jul 2015 14:21:26 GMT) :
> Just copy the /lib/systemd/system/tor.service file to
> /etc/systemd/system and edit it there -- it will take precedence over
> the one in /lib . You don't want to edit the one in /lib directly, since
> it is meant to be for distribution files that can/should be replaced on
> upgrades.

Right. And even better: using drop-in override files would avoid
having to maintain a local forked copy of the unit file. Look for
".conf" in systemd.unit(5).

Cheers,
--
intrigeri
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-09 Thread Moritz Bartl 
On 07/09/2015 03:24 PM, aexlfow...@web.de wrote:
> Correct. I edited /lib/systemd/system/tor.service and added
>   ReadWriteDirectories=-/media/cRAID/Tor
> and now 0.2.6.9 is running.
> I'm not entirely sure how to create my own
> /etc/systemd/system/tor.service so I leave it at that.
> (Trying out 'systemctl edit' I get "Unknown operation 'edit'." BTW.)

Just copy the /lib/systemd/system/tor.service file to
/etc/systemd/system and edit it there -- it will take precedence over
the one in /lib . You don't want to edit the one in /lib directly, since
it is meant to be for distribution files that can/should be replaced on
upgrades.

-- 
Moritz Bartl
https://www.torservers.net/
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-09 Thread aexlfowley 
> On Tue, 07 Jul 2015, aexlfowley at web.de wrote:
> 
>> After upgrading from 0.2.5.12 (git-3731dd5c3071dcba) to 0.2.6.9
>> (git-145b2587d1269af4) an error occured.
>> I'm on Debian Jessie (stable) on an AMD Athlon 64 X2. Tor won't start
>> and these are the last lines in log:
>> [warn] Couldn't open "/media/cRAID/Tor/lock" for locking: Read-only file
>> system
> 
>> teor thinks that I "could be experiencing an issue with the tor sandbox
>> and not getting the right paths
>> or, tor is running with insufficient permissions"
> 
> I'd assume that's the protection settings enabled in Tor's service file.
> 
> See /lib/systemd/system/tor.service and the systemd.exec(5) manpage.
> You can override these by making your own
> /etc/systemd/system/tor.service file.
> 
> Cheers,
> -- 
>|  .''`.   ** Debian **
>   Peter Palfrader  | : :' :  The  universal
>  http://www.palfrader.org/ | `. `'  Operating System
>|   `-http://www.debian.org/

> aexlfowley at web.de wrote (08 Jul 2015 17:57:24 GMT) :
>> (Both packages for 0.2.5.12 and 0.2.6.9 contain an apparmor profile.
>> Only change and new line is
>>   /usr/bin/obfs4proxy PUx,
>> in /etc/apparmor.d/abstracions/tor)
> 
> FTR, the systemd unit file in Debian sid's 0.2.6.9-1 doesn't enable
> the AppArmor profile (yet), so I doubt AppArmor has anything to do
> with this problem (aa-status will tell you).
> 
> However, it has:
> 
>   PrivateTmp=yes
>   PrivateDevices=yes
>   ProtectHome=yes
>   ProtectSystem=full
>   ReadOnlyDirectories=/
>   ReadWriteDirectories=-/var/lib/tor
>   ReadWriteDirectories=-/var/log/tor
>   ReadWriteDirectories=-/var/run
> 
> ... which explains why /media/cRAID/Tor/lock isn't writable.
> 
> So you'll want to add what is called a "drop-in override file" in
> systemd's terminology (that can be created e.g. with `systemctl
> edit'), that adds a ReadWriteDirectories= directive pointing to the
> directory you want.
> 
> Cheers,
> --
> intrigeri

Correct. I edited /lib/systemd/system/tor.service and added
  ReadWriteDirectories=-/media/cRAID/Tor
and now 0.2.6.9 is running.
I'm not entirely sure how to create my own
/etc/systemd/system/tor.service so I leave it at that.
(Trying out 'systemctl edit' I get "Unknown operation 'edit'." BTW.)

Thank you all!
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-08 Thread intrigeri 
aexlfow...@web.de wrote (08 Jul 2015 17:57:24 GMT) :
> (Both packages for 0.2.5.12 and 0.2.6.9 contain an apparmor profile.
> Only change and new line is
>   /usr/bin/obfs4proxy PUx,
> in /etc/apparmor.d/abstracions/tor)

FTR, the systemd unit file in Debian sid's 0.2.6.9-1 doesn't enable
the AppArmor profile (yet), so I doubt AppArmor has anything to do
with this problem (aa-status will tell you).

However, it has:

  PrivateTmp=yes
  PrivateDevices=yes
  ProtectHome=yes
  ProtectSystem=full
  ReadOnlyDirectories=/
  ReadWriteDirectories=-/var/lib/tor
  ReadWriteDirectories=-/var/log/tor
  ReadWriteDirectories=-/var/run

... which explains why /media/cRAID/Tor/lock isn't writable.

So you'll want to add what is called a "drop-in override file" in
systemd's terminology (that can be created e.g. with `systemctl
edit'), that adds a ReadWriteDirectories= directive pointing to the
directory you want.

Cheers,
--
intrigeri
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-08 Thread Peter Palfrader 
On Tue, 07 Jul 2015, aexlfow...@web.de wrote:

> After upgrading from 0.2.5.12 (git-3731dd5c3071dcba) to 0.2.6.9
> (git-145b2587d1269af4) an error occured.
> I'm on Debian Jessie (stable) on an AMD Athlon 64 X2. Tor won't start
> and these are the last lines in log:
> [warn] Couldn't open "/media/cRAID/Tor/lock" for locking: Read-only file
> system

> teor thinks that I "could be experiencing an issue with the tor sandbox
> and not getting the right paths
> or, tor is running with insufficient permissions"

I'd assume that's the protection settings enabled in Tor's service file.

See /lib/systemd/system/tor.service and the systemd.exec(5) manpage.
You can override these by making your own
/etc/systemd/system/tor.service file.

Cheers,
-- 
   |  .''`.   ** Debian **
  Peter Palfrader  | : :' :  The  universal
 http://www.palfrader.org/ | `. `'  Operating System
   |   `-http://www.debian.org/
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-08 Thread l.m 
Even for read-only filesystem, tor will attempt to fix folder
permission using chmod. I find it unusual that I don't see this in
your logs. 

--leeroy
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-08 Thread aexlfowley 
>> On 8 Jul 2015, at 08:06 , l.m  wrote:
>> 
>> Sounds like access control gone wrong. An older version works but a newer 
>> version fails. Permissions on the filesystem look fine from mount output. So 
>> do you use access control, apparmor, selinux, grsecurity, fsprotect, 
>> bilibop, etc? In particular the tor package which is mentioned in your 
>> ticket includes an apparmor profile and suggests apparmor-utils.
>> 
>> Also try checking your system logs
> 
> arma asked similar questions on the ticket itself:
> 
>> Comment (by arma):
>> 
>> A) Maybe it is Tor's sandbox code, misunderstanding where your
>> datadirectory is?
>> 
>> B) Maybe it is some fancy selinux thing or the like?
>> 
>> Which of those does Wheezy have?
> 
> 
> 
> Tim Wilson-Brown (teor)
> 
> teor2345 at gmail dot com
> pgp ABFED1AC
> https://gist.github.com/teor2345/d033b8ce0a99adbc89c5
> 
> teor at blah dot im
> OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7
> 
> -- next part --
> An HTML attachment was scrubbed...
> URL: 
> 
> -- next part --
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 832 bytes
> Desc: Message signed with OpenPGP using GPGMail
> URL: 
> 

How do I check that sandbox thing?
BTW I'm only running a bridge relay. I don't use TBB or whatever.
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-08 Thread aexlfowley 
> Sounds like access control gone wrong. An older version works but a
> newer version fails. Permissions on the filesystem look fine from
> mount output. So do you use access control, apparmor, selinux,
> grsecurity, fsprotect, bilibop, etc? In particular the tor package
> which is mentioned in your ticket includes an apparmor profile and
> suggests apparmor-utils.
> 
> Also try checking your system logs
> --leeroy
> 
> -- next part --
> An HTML attachment was scrubbed...
> URL: 
> 

ACL [1] is part of Debian. I presume that it's this way many years now
... I've updated the pastebin [2] with getfacl outputs. 0.2.5.12 still
running.
I don't have any of that other stuff installed.
(Both packages for 0.2.5.12 and 0.2.6.9 contain an apparmor profile.
Only change and new line is
  /usr/bin/obfs4proxy PUx,
in /etc/apparmor.d/abstracions/tor)

My system logs don't contain anything I haven't released (I checked
dmesg, /var/log/messages, syslog, kern.log).

1: https://wiki.debian.org/Permissions#Access_Control_Lists_in_Linux
2: http://lpaste.net/136099
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-07 Thread teor 

> On 8 Jul 2015, at 08:06 , l.m  wrote:
> 
> Sounds like access control gone wrong. An older version works but a newer 
> version fails. Permissions on the filesystem look fine from mount output. So 
> do you use access control, apparmor, selinux, grsecurity, fsprotect, bilibop, 
> etc? In particular the tor package which is mentioned in your ticket includes 
> an apparmor profile and suggests apparmor-utils.
> 
> Also try checking your system logs

arma asked similar questions on the ticket itself:

> Comment (by arma):
> 
> A) Maybe it is Tor's sandbox code, misunderstanding where your
> datadirectory is?
> 
> B) Maybe it is some fancy selinux thing or the like?
> 
> Which of those does Wheezy have?



Tim Wilson-Brown (teor)

teor2345 at gmail dot com
pgp ABFED1AC
https://gist.github.com/teor2345/d033b8ce0a99adbc89c5

teor at blah dot im
OTR D5BE4EC2 255D7585 F3874930 DB130265 7C9EBBC7



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-07 Thread l.m 
Sounds like access control gone wrong. An older version works but a
newer version fails. Permissions on the filesystem look fine from
mount output. So do you use access control, apparmor, selinux,
grsecurity, fsprotect, bilibop, etc? In particular the tor package
which is mentioned in your ticket includes an apparmor profile and
suggests apparmor-utils.

Also try checking your system logs
--leeroy

___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

[tor-dev] tor#16518: Read-Only Filesystem Error opening tor lockfile in 0.2.6.9 but not 0.2.5.12

2015-07-07 Thread aexlfowley 
Hi devs,

User here. teor send me over from IRC. It's regarding to this
trac-ticket https://trac.torproject.org/projects/tor/ticket/16518
After upgrading from 0.2.5.12 (git-3731dd5c3071dcba) to 0.2.6.9
(git-145b2587d1269af4) an error occured.
I'm on Debian Jessie (stable) on an AMD Athlon 64 X2. Tor won't start
and these are the last lines in log:
[warn] Couldn't open "/media/cRAID/Tor/lock" for locking: Read-only file
system
[err] set_options(): Bug: Acting on config options left us in a broken
state. Dying.

Here's the full log:
http://www.file-upload.net/download-10748122/aexllog.gz.html
Here's also a pastebin of some shell commands I did for the IRC chat:
http://lpaste.net/136099

debug just also contains:
[debug] tor_disable_debugger_attach(): Attemping to disable debugger
attachment to Tor for unprivileged users.
[debug] tor_disable_debugger_attach(): Debugger attachment disabled for
unprivileged users.
[info] tor_lockfile_lock(): Locking "/media/cRAID/Tor/lock"

teor thinks that I "could be experiencing an issue with the tor sandbox
and not getting the right paths
or, tor is running with insufficient permissions"

teor's help and mindfulness was much appreciated.
It lasted about 7 days for me to realize that Tor wasn't running. I'm
now operating 0.2.5.12 successfully, hoping that it's still secure.

Kindest regards
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev