Hi friends,
I just configured Nyx to run as a normal user on OpenBSD, and I am looking for feedback on the security of my approach and suggestions for any better alternatives.
Setup:
- Nyx 2.1.0
- Tor 0.4.8.10 (
CookieAuthentication 1
in torrc
)
- OpenBSD 7.5
Problem:
Nyx will run as root, but as a normal user I got the following error:
$ nyx
We were unable to read Tor's authentication cookie...
Path: /var/tor/control_auth_cookie
Issue: Authentication failed: '/var/tor/control_auth_cookie' doesn't exist
I added my user to the _tor
group, but it turns out only the _tor
user itself can read this file.
# ls -l /var/tor/control_auth_cookie
-rw------- 1 _tor _tor 32B Apr 27 03:30 /var/tor/control_auth_cookie
Solution:
I added read permission to the file for the group and then read and execute permissions to the parent directory to allow group members access:
# chmod g+r /var/tor/control_auth_cookie
# chmod g+rx /var/tor
Now, my normal user can run Nyx, and can list the directory contents of /var/tor
, and read control_auth_cookie
. I checked to see if the other files and directories (like /var/tor/keys
) were accessible, and they are not.
Questions:
Was this the best way to go about things? What might the adverse consequences be? Is there a better way? (I thought an alternative would be to configure doas
to run Nyx as the _tor
user, but I wasn’t sure about that either.)
Thanks for any insights or suggestions!
1 Like
Hey friends, I just wanted to give an update on this. The method above doesn’t work because the Tor process resets the permissions for /var/tor
automatically after about a day.
# grep -i /var/tor /var/log/messages
Tor[72495]: Fixing permissions on directory /var/tor
However, it turns out there are some torrc
options to achieve the same thing :
CookieAuthFileGroupReadable 1
CookieAuthFile /var/tor/control_auth_cookie
DataDirectoryGroupReadable 1
It seems to work for me so far. I will update if the permissions get reset again.
Another thing I did was configure doas
so that my normal user puffy
can execute the nyx
command as the _tor
user. You can do this by adding the following line to /etc/doas.conf
(create the file if it doesn’t exist already):
permit nopass puffy as _tor cmd nyx
Then you can run nyx
with
$ doas -u _tor nyx
I am not sure which of these two approaches is better though.
2 Likes