[tor-relays] torrc, unit files, confusion

[Martin Gebhardt <martin@xxxxxxxxxxx>]

Hello together,

I've gotten myself stuck in a situation that I can't get out of. The 
following:

I have a working relay. You can find the config for it in the attachment 
[1].

I want to move parts of the config. So I use %include.
I don't do anything else than moving parts of the working config to 
other files. There are no changes at all. But, tor does not start 
anymore.In the attachment [2] you can find the config with %include. The 
folder structure is the following:

├── info.html
├── rc.d
│   ├── contact.rc
│   ├── family.rc
│   └── nickname.rc
├── torrc
└── torsocks.conf

No matter what I do, I can't get it to enable debug logs when I start 
tor from the unit file. This is unchanged, but I attached it anyway [3].

Anyway, I start tor as root, then everything works [4]. I have no idea 
where something should be wrong with the permissions. I have also 
recursively set the permission of /etc/tor/ to the user debian-tor, but 
it doesn't help.

When I do the following:

cat rc.d/* >> torrc && sed -i /include/d torrc && systemctl restart tor

Everything works fine again.

My system:
Linux privacy 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) 
x86_64 GNU/Linux
Tor version 0.4.6.9.
Tor is running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1k, 
Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.4.8 and Glibc 2.33 as libc.
Tor compiled with GCC version 10.2.1

Maybe I'm still too tired to figure it out. But please, can someone give 
me some advice where to look further? Or at least tell me how to get a 
debug log when I start tor from the systemd-unit. Then I would surely 
get further.

Thanks for your attention and help.

--
Martin

SocksPort 0
RunAsDaemon 1

ORPort 9001
ORPort [::]:9001

ContactInfo abuse(at)linkspartei(dot)org url:linkspartei.org proof:uri-rsa ciissversion:2 btc:bc1qnskznvxkq63yuqcvp3ppc37hp364n2f08lv46v
MyFamily C2CD35F0766CAE4184F75299186FE8CF1A131E61,58AC93FB66FE2A14A4A7D35C05E6BE41A6C7046B,EDB480C34207BC3D38CD903F475CD4A85659F810,FDAA4F76F778215F02B0B02DCE8E8504179BCDC6,6A0A9C3B3381C89CCB85C64BBCF6942805AA477B,171E93EA1DF7524A87ED272CCE8CF83BCD9BF1BC,F072C8FDA61719777AA3BAB2CDADE416763749F8,4CF97826972A7FDD895B0D020FE56341ED5E5F90,16688DB4CD7B17E2846E9BE90DFCE89456DAE5CB,845BA84EDBC85AD3B1D504089BAE698E9360DCBF,2F9EAEB446302E4A4B6451AC2A8DAB9128FDA7D7,FDE290ACE9C213BE9F7BB7FB288DD9767B6ABB31
Nickname lokit09

Log notice file /var/log/tor/notices.log

DirPort 80
DirPortFrontPage /etc/tor/info.html

ExitRelay 1
IPv6Exit 1
DisableDebuggerAttachment 0
ControlPort 9051
CookieAuthentication 1

# Policy
ExitPolicy accept *:20-21     # FTP, SSH, telnet
ExitPolicy accept *:23        # FTP, SSH, telnet
ExitPolicy accept *:43        # WHOIS
ExitPolicy accept *:53        # DNS
ExitPolicy accept *:79-81     # finger, HTTP
ExitPolicy accept *:88        # kerberos
ExitPolicy accept *:110       # POP3
ExitPolicy accept *:143       # IMAP
ExitPolicy accept *:194       # IRC
ExitPolicy accept *:220       # IMAP3
ExitPolicy accept *:389       # LDAP
ExitPolicy accept *:443       # HTTPS
ExitPolicy accept *:464       # kpasswd
ExitPolicy accept *:465       # URD for SSM (more often: an alternative SUBMISSION port, see 587)
ExitPolicy accept *:531       # IRC/AIM
ExitPolicy accept *:543-544   # Kerberos
ExitPolicy accept *:554       # RTSP
ExitPolicy accept *:563       # NNTP over SSL
ExitPolicy accept *:587       # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here)
ExitPolicy accept *:636       # LDAP over SSL
ExitPolicy accept *:706       # SILC
ExitPolicy accept *:749       # kerberos
ExitPolicy accept *:873       # rsync
ExitPolicy accept *:902-904   # VMware
ExitPolicy accept *:981       # Remote HTTPS management for firewall
ExitPolicy accept *:989-990   # FTP over SSL
ExitPolicy accept *:991       # Netnews Administration System
ExitPolicy accept *:992       # TELNETS
ExitPolicy accept *:993       # IMAP over SSL
ExitPolicy accept *:994       # IRCS
ExitPolicy accept *:995       # POP3 over SSL
ExitPolicy accept *:1194      # OpenVPN
ExitPolicy accept *:1220      # QT Server Admin
ExitPolicy accept *:1293      # PKT-KRB-IPSec
ExitPolicy accept *:1500      # VLSI License Manager
ExitPolicy accept *:1533      # Sametime
ExitPolicy accept *:1677      # GroupWise
ExitPolicy accept *:1723      # PPTP
ExitPolicy accept *:1755      # RTSP
ExitPolicy accept *:1863      # MSNP
ExitPolicy accept *:2082      # Infowave Mobility Server
ExitPolicy accept *:2083      # Secure Radius Service (radsec)
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:2102-2104 # Zephyr
ExitPolicy accept *:3128      # SQUID
ExitPolicy accept *:3389      # MS WBT
ExitPolicy accept *:3690      # SVN
ExitPolicy accept *:4321      # RWHOIS
ExitPolicy accept *:4643      # Virtuozzo
ExitPolicy accept *:5050      # MMCC
ExitPolicy accept *:5190      # ICQ
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5228      # Android Market
ExitPolicy accept *:5900      # VNC
ExitPolicy accept *:6660-6669 # IRC
ExitPolicy accept *:6679      # IRC SSL
ExitPolicy accept *:6697      # IRC SSL
ExitPolicy accept *:8000      # iRDMI
ExitPolicy accept *:8008      # HTTP alternate
ExitPolicy accept *:8074      # Gadu-Gadu
ExitPolicy accept *:8080      # HTTP Proxies
ExitPolicy accept *:8082      # HTTPS Electrum Bitcoin port
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
ExitPolicy accept *:8332-8333 # Bitcoin
ExitPolicy accept *:8443      # PCsync HTTPS
ExitPolicy accept *:8888      # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418      # git
ExitPolicy accept *:9999      # distinct
ExitPolicy accept *:10000     # Network Data Management Protocol
ExitPolicy accept *:11371     # OpenPGP hkp (http keyserver protocol)
ExitPolicy accept *:19294     # Google Voice TCP
ExitPolicy accept *:19638     # Ensim control panel
ExitPolicy accept *:50002     # Electrum Bitcoin SSL
ExitPolicy accept *:64738     # Mumble
ExitPolicy reject *:*

SocksPort 0
RunAsDaemon 1

ORPort 9001
ORPort [::]:9001

ContactInfo abuse(at)linkspartei(dot)org url:linkspartei.org proof:uri-rsa ciissversion:2 btc:bc1qnskznvxkq63yuqcvp3ppc37hp364n2f08lv46v
MyFamily C2CD35F0766CAE4184F75299186FE8CF1A131E61,58AC93FB66FE2A14A4A7D35C05E6BE41A6C7046B,EDB480C34207BC3D38CD903F475CD4A85659F810,FDAA4F76F778215F02B0B02DCE8E8504179BCDC6,6A0A9C3B3381C89CCB85C64BBCF6942805AA477B,171E93EA1DF7524A87ED272CCE8CF83BCD9BF1BC,F072C8FDA61719777AA3BAB2CDADE416763749F8,4CF97826972A7FDD895B0D020FE56341ED5E5F90,16688DB4CD7B17E2846E9BE90DFCE89456DAE5CB,845BA84EDBC85AD3B1D504089BAE698E9360DCBF,2F9EAEB446302E4A4B6451AC2A8DAB9128FDA7D7,FDE290ACE9C213BE9F7BB7FB288DD9767B6ABB31
Nickname lokit09

Log notice file /var/log/tor/notices.log

DirPort 80
DirPortFrontPage /etc/tor/info.html

ExitRelay 1
IPv6Exit 1
DisableDebuggerAttachment 0
ControlPort 9051
CookieAuthentication 1

# Policy
ExitPolicy accept *:20-21     # FTP, SSH, telnet
ExitPolicy accept *:23        # FTP, SSH, telnet
ExitPolicy accept *:43        # WHOIS
ExitPolicy accept *:53        # DNS
ExitPolicy accept *:79-81     # finger, HTTP
ExitPolicy accept *:88        # kerberos
ExitPolicy accept *:110       # POP3
ExitPolicy accept *:143       # IMAP
ExitPolicy accept *:194       # IRC
ExitPolicy accept *:220       # IMAP3
ExitPolicy accept *:389       # LDAP
ExitPolicy accept *:443       # HTTPS
ExitPolicy accept *:464       # kpasswd
ExitPolicy accept *:465       # URD for SSM (more often: an alternative SUBMISSION port, see 587)
ExitPolicy accept *:531       # IRC/AIM
ExitPolicy accept *:543-544   # Kerberos
ExitPolicy accept *:554       # RTSP
ExitPolicy accept *:563       # NNTP over SSL
ExitPolicy accept *:587       # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here)
ExitPolicy accept *:636       # LDAP over SSL
ExitPolicy accept *:706       # SILC
ExitPolicy accept *:749       # kerberos
ExitPolicy accept *:873       # rsync
ExitPolicy accept *:902-904   # VMware
ExitPolicy accept *:981       # Remote HTTPS management for firewall
ExitPolicy accept *:989-990   # FTP over SSL
ExitPolicy accept *:991       # Netnews Administration System
ExitPolicy accept *:992       # TELNETS
ExitPolicy accept *:993       # IMAP over SSL
ExitPolicy accept *:994       # IRCS
ExitPolicy accept *:995       # POP3 over SSL
ExitPolicy accept *:1194      # OpenVPN
ExitPolicy accept *:1220      # QT Server Admin
ExitPolicy accept *:1293      # PKT-KRB-IPSec
ExitPolicy accept *:1500      # VLSI License Manager
ExitPolicy accept *:1533      # Sametime
ExitPolicy accept *:1677      # GroupWise
ExitPolicy accept *:1723      # PPTP
ExitPolicy accept *:1755      # RTSP
ExitPolicy accept *:1863      # MSNP
ExitPolicy accept *:2082      # Infowave Mobility Server
ExitPolicy accept *:2083      # Secure Radius Service (radsec)
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:2102-2104 # Zephyr
ExitPolicy accept *:3128      # SQUID
ExitPolicy accept *:3389      # MS WBT
ExitPolicy accept *:3690      # SVN
ExitPolicy accept *:4321      # RWHOIS
ExitPolicy accept *:4643      # Virtuozzo
ExitPolicy accept *:5050      # MMCC
ExitPolicy accept *:5190      # ICQ
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5228      # Android Market
ExitPolicy accept *:5900      # VNC
ExitPolicy accept *:6660-6669 # IRC
ExitPolicy accept *:6679      # IRC SSL
ExitPolicy accept *:6697      # IRC SSL
ExitPolicy accept *:8000      # iRDMI
ExitPolicy accept *:8008      # HTTP alternate
ExitPolicy accept *:8074      # Gadu-Gadu
ExitPolicy accept *:8080      # HTTP Proxies
ExitPolicy accept *:8082      # HTTPS Electrum Bitcoin port
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
ExitPolicy accept *:8332-8333 # Bitcoin
ExitPolicy accept *:8443      # PCsync HTTPS
ExitPolicy accept *:8888      # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418      # git
ExitPolicy accept *:9999      # distinct
ExitPolicy accept *:10000     # Network Data Management Protocol
ExitPolicy accept *:11371     # OpenPGP hkp (http keyserver protocol)
ExitPolicy accept *:19294     # Google Voice TCP
ExitPolicy accept *:19638     # Ensim control panel
ExitPolicy accept *:50002     # Electrum Bitcoin SSL
ExitPolicy accept *:64738     # Mumble
ExitPolicy reject *:*

# /lib/systemd/system/tor@default.service
[Unit]
Description=Anonymizing overlay network for TCP
After=network.target nss-lookup.target
PartOf=tor.service
ReloadPropagatedFrom=tor.service

[Service]
Type=notify
NotifyAccess=all
PIDFile=/run/tor/tor.pid
PermissionsStartOnly=yes
ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor
ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config
ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutStartSec=300
TimeoutStopSec=60
Restart=on-failure
LimitNOFILE=65536

# Hardening
AppArmorProfile=-system_tor
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
ReadWriteDirectories=-/run
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH

Feb 16 07:40:17.650 [notice] Tor 0.4.6.9 running on Linux with Libevent 2.1.12-stable, OpenSSL 1.1.1k, Zlib 1.2.11, Liblzma 5.2.5, Libzstd 1.4.8 and Glibc 2.31 as libc.
Feb 16 07:40:17.650 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Feb 16 07:40:17.650 [notice] Read configuration file "/etc/tor/torrc".
Feb 16 07:40:17.651 [notice] Processing configuration path "/etc/tor/rc.d" at recursion level 1.
Feb 16 07:40:17.651 [notice] Including configuration file "/etc/tor/rc.d/contact.rc".
Feb 16 07:40:17.651 [notice] Including configuration file "/etc/tor/rc.d/family.rc".
Feb 16 07:40:17.651 [notice] Including configuration file "/etc/tor/rc.d/nickname.rc".
Feb 16 07:40:17.651 [warn] Configuration port ORPort 9001 superseded by ORPort [::]:9001
Feb 16 07:40:17.651 [notice] Based on detected system memory, MaxMemInQueues is set to 732 MB. You can override this by setting MaxMemInQueues by hand.
Feb 16 07:40:17.653 [warn] Configuration port ORPort 9001 superseded by ORPort [::]:9001
Feb 16 07:40:17.653 [notice] Opening Control listener on 127.0.0.1:9051
Feb 16 07:40:17.653 [notice] Opened Control listener connection (ready) on 127.0.0.1:9051
Feb 16 07:40:17.653 [notice] Opening OR listener on 0.0.0.0:9001
Feb 16 07:40:17.653 [notice] Opened OR listener connection (ready) on 0.0.0.0:9001
Feb 16 07:40:17.653 [notice] Opening OR listener on [::]:9001
Feb 16 07:40:17.653 [notice] Opened OR listener connection (ready) on [::]:9001
Feb 16 07:40:17.653 [notice] Opening Directory listener on 0.0.0.0:80

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays