[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] ControlPort Authentication Options

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] ControlPort Authentication Options
From: Ralph Seichter <m16+tor@xxxxxxxxxxxxxxx>
Date: Sun, 3 Sep 2017 13:29:56 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 03 Sep 2017 07:30:39 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=monksofcool.net; h=content-transfer-encoding:content-language:content-type :content-type:in-reply-to:mime-version:user-agent:date:date :message-id:from:from:references:subject:subject; s=alpha; t= 1504438200; x=1507030201; bh=DXnCDuSrdfcm3H5w387EEEVXXSDbyZjT1X/ ojjV/B6E=; b=JJEVZprc6q8laHvW72Aj1FtjakBVCA00aDawQLzZqC0VBcbl/VG wJsvXLgFIryWkDp2LQITU38QRrTCYNmTJCyBwnIQSmqWFN14wWxOYBiewTWoaAfi LITERiTZ7fwRYTxJIVr3T0GYkjBbU4ER+yZmmZiNQStx1yBQrCZ0kZzds1swVobJ 3obtqjcN4GndbSI7JqZ5EoMbCmPO5VF3KG5LDrL+oPMUfoB67J9rHUaSNnK2yf1z HK/NUSn1kJSDzQhQTV6NWzFEPJsLsCSYkCBPABL9L/0DmXIy09PHD0h9EtZDTyQL LaykLRD8OghjZeFd93lp3g9N6drKtdzISiA==
In-reply-to: <20170903004253.GI8401@moria.seul.org>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <df28964d-4b89-c4dd-613e-b24cb7eabd64@cni.net> <CAJdkzEM9Hc2FL3ZABVGAyu3LKXeUSCELz=JmsH3=NQMNEGthyw@mail.gmail.com> <30bf8165-f1c1-a11a-b55b-c0ceeaa8167b@monksofcool.net> <CAJdkzEOiSCdd5fb6kCCL+Wfd2T5DEdDMpULvvZASQhgV73KuzQ@mail.gmail.com> <68b14862-856b-d4ec-62ea-56562fc7e63e@monksofcool.net> <c442d00e-b314-ec3e-bac2-253a42a5e118@riseup.net> <3ebfb6b0-5197-5451-a572-4bccedfc1e89@monksofcool.net> <20170903004253.GI8401@moria.seul.org>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

On 03.09.2017 02:42, Roger Dingledine wrote:

> In the man page, it's listed as a flag to ControlPort.

Ouch, I did not see this last night. In my defence, I find it hard to
distinguish between "options" and "flags for options" listed on the page
https://www.torproject.org/docs/tor-manual.html.en even during daytime,
because of the lack of distinguishing marks (same font, size, style and
colour). RelaxDirModeCheck is apparently a flag, while ControlListenAddress
directly below it is an option. May I suggest improving the formatting
to avoid future misunderstandings?

In any case, here is what works for me with Tor 0.3.0.10:

  CookieAuthentication 1
  CookieAuthFile /var/lib/tor/cookie_auth
  CookieAuthFileGroupReadable 1
  ControlPort unix:/run/tor/control GroupWritable RelaxDirModeCheck

With this combination, all members of the Tor user's primary group can
access Nyx without manually entering a controller password. Downside, as
mentioned, they cannot see any currently established connections.

By the way, the options above seem inconsistent to me. CookieAuthFile
should have a flag like this

  # Feature request: GroupReadable flag
  CookieAuthFile /path/to/file GroupReadable

instead of using the separate option CookieAuthFileGroupReadable. That
would be consistent with how the ControlPort settings are specified.

My thanks to Damian and Roger.

-Ralph
_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- [tor-relays] Tor-arm failure
  - From: Arisbe
- Re: [tor-relays] Tor-arm failure
  - From: Damian Johnson
- Re: [tor-relays] Tor-arm failure
  - From: Ralph Seichter
- Re: [tor-relays] Tor-arm failure
  - From: Damian Johnson
- Re: [tor-relays] Tor-arm failure
  - From: Ralph Seichter
- Re: [tor-relays] ControlPort Authentication Options (was: Tor-arm failure)
  - From: nusenu
- Re: [tor-relays] ControlPort Authentication Options
  - From: Ralph Seichter
- Re: [tor-relays] ControlPort Authentication Options
  - From: Roger Dingledine

Prev by Author: Re: [tor-relays] HOW-TO: Simple DNS resolver for tor exit operators
Next by Author: Re: [tor-relays] Tor-arm failure
Previous by thread: Re: [tor-relays] ControlPort Authentication Options
Next by thread: Re: [tor-relays] Tor-arm failure
Index(es):
- Author
- Thread