From dbe994aba120a176479cc90a362c8253c602b422 Mon Sep 17 00:00:00 2001 From: Marco Bonetti Date: Tue, 12 Jul 2011 05:16:43 -0400 Subject: network/tor: Updated rc.tor to remove hardcoded values, other fixes. See README.SLACKWARE for more info. Signed-off-by: dsomero --- network/tor/README | 16 ++++- network/tor/README.SLACKWARE | 37 +++------- network/tor/rc.tor | 137 +++++++++++++++++++++++++++-------- network/tor/slack-desc | 6 +- network/tor/tor.SlackBuild | 4 +- network/tor/tor.info | 2 +- network/tor/torrc | 168 +++++++++++++++++++++++++++++++++++++++++++ 7 files changed, 307 insertions(+), 63 deletions(-) create mode 100644 network/tor/torrc (limited to 'network') diff --git a/network/tor/README b/network/tor/README index 3ec67d2c87..ad36a3c0b5 100644 --- a/network/tor/README +++ b/network/tor/README @@ -13,6 +13,18 @@ The recommended UID/GID is 220. You can create these like so: You can pass another user/group to the script; this is however, less safe: TOR_USER=nobody TOR_GROUP=nogroup sh tor.SlackBuild -See README.SLACKWARE for how to start tor on boot. +The following can be used to start/stop tor automatically: +/etc/rc.d/rc.local + if [ -x /etc/rc.d/rc.tor ]; then + /etc/rc.d/rc.tor start + fi -Tor requires libevent. +/etc/rc.d/rc.local_shutdown + if [ -x /etc/rc.d/rc.tor ]; then + /etc/rc.d/rc.tor stop + fi + +Tor requires libevent, while tsocks is an optional run-time dependency if you +want to use the "torify" shell script. + +Take a look at README.SLACKWARE for important notes and recent changes. diff --git a/network/tor/README.SLACKWARE b/network/tor/README.SLACKWARE index 9e88ce90ed..82413547f5 100644 --- a/network/tor/README.SLACKWARE +++ b/network/tor/README.SLACKWARE @@ -1,27 +1,10 @@ -Tor is a toolset for a wide range of organizations and people that want -to improve their safety and security on the Internet. Using Tor can help -you anonymize web browsing and publishing, instant messaging, IRC, -SSH, and other applications that use the TCP protocol. Tor also -provides a platform on which software developers can build new -applications with built-in anonymity, safety, and privacy features. - -This script requires a 'tor' user/group to exist before running. -The recommended UID/GID is 220. You can create these like so: - groupadd -g 220 tor - useradd -u 220 -g 220 -c "The Onion Router" -d /dev/null -s /bin/false tor - -You can pass another user/group to the script; this is however, less safe: - TOR_USER=nobody TOR_GROUP=nogroup sh tor.SlackBuild - -The following can be used to start/stop tor automatically: -/etc/rc.d/rc.local - if [ -x /etc/rc.d/rc.tor ]; then - /etc/rc.d/rc.tor start - fi - -/etc/rc.d/rc.local_shutdown - if [ -x /etc/rc.d/rc.tor ]; then - /etc/rc.d/rc.tor stop - fi - -Tor requires libevent. +As of tor-0.2.1.30-2 and later, I've updated Tor rc.tor init script to get rid +of hardcoded values present inside torctl command script. To successfully use +the newer script be sure to check changes to both /etc/rc.d/rc.tor.new and +/etc/tor/torrc.new as some configurations values are now required and no +longer passed on the command line. The original TorProject.org torrc +configuration is always available as /etc/tor/torrc.sample. + +Also, there has been a recent libevent upgrade from 1.4.13 to 2.0.10 in +SlackBuilds.org 13.37 tree, remember to rebuild Tor when such major upgrades +happen. diff --git a/network/tor/rc.tor b/network/tor/rc.tor index cdeb865af3..b54dbdf118 100644 --- a/network/tor/rc.tor +++ b/network/tor/rc.tor @@ -1,42 +1,123 @@ #!/bin/sh # -# tor The Onion Router +# tor - The Onion Router # -# Startup/shutdown script for tor. This is a wrapper around torctl; -# torctl does the actual work in a relatively system-independent, or at least -# distribution-independent, way, and this script deals with fitting the -# whole thing into the conventions of the particular system at hand. +# Startup/shutdown script for Tor. +# +# Written by Marco Bonetti , heavily based on +# contrib/tor.sh, contrib/torctl and Debian init script. -# This script is a modified contrb/tor.sh, for use on Slackware. +# Check available file descriptors +if [ -r /proc/sys/fs/file-max ]; then + SYSTEM_MAX=`cat /proc/sys/fs/file-max` + if [ "$SYSTEM_MAX" -gt "80000" ]; then + MAX_FILEDESCRIPTORS=32768 + elif [ "$SYSTEM_MAX" -gt "40000" ]; then + MAX_FILEDESCRIPTORS=16384 + elif [ "$SYSTEM_MAX" -gt "10000" ]; then + MAX_FILEDESCRIPTORS=8192 + else + MAX_FILEDESCRIPTORS=1024 + cat << EOF -TORCTL=/usr/bin/torctl +Warning: Your system has very few filedescriptors available in total. -# torctl will use these environment variables -TORUSER=tor -export TORUSER +Maybe you should try raising that by adding 'fs.file-max=100000' to your +/etc/sysctl.conf file. Feel free to pick any number that you deem appropriate. +Then run 'sysctl -p'. See /proc/sys/fs/file-max for the current value, and +file-nr in the same directory for how many of those are used at the moment. -case "$1" in +EOF + fi +else + MAX_FILEDESCRIPTORS=8192 +fi + +tor_start() { + if [ -n "$MAX_FILEDESCRIPTORS" ]; then + echo -n "Raising maximum number of filedescriptors (ulimit -n) to $MAX_FILEDESCRIPTORS" + if ulimit -n "$MAX_FILEDESCRIPTORS" ; then + echo "..." + else + echo ": FAILED." + fi + fi + echo "Starting Tor..." + /usr/bin/tor +} + +tor_stop() { + echo -n "Stopping Tor..." + PID=`cat /var/run/tor/tor.pid 2>/dev/null` + if [ -z "$PID" ]; then + echo " not running." + exit 0 + fi + if kill -15 $PID; then + echo " stopped." + else + sleep 1 + if kill -9 $PID; then + echo " killed." + else + echo " error!" + exit 1 + fi + fi +} - start) - $TORCTL start - ;; +tor_reload() { + echo -n "Reloading Tor..." + PID=`cat /var/run/tor/tor.pid 2>/dev/null` + if [ -z "$PID" ]; then + echo " not running." + exit 0 + fi + if kill -1 $PID; then + echo " reloaded." + else + echo " error!" + exit 1 + fi +} + +tor_status() { + PID=`cat /var/run/tor/tor.pid 2>/dev/null` + if [ -z "$PID" ]; then + echo "Not running." + exit 1 + elif kill -0 $PID; then + echo "Running." + exit 0 + else + echo "PID file /var/run/tor/tor.pid present but PID $PID is not running." + exit 1 + fi +} + +case "$1" in + start) + tor_start + ;; - stop) - $TORCTL stop - ;; + stop) + tor_stop + ;; - restart) - $TORCTL restart - ;; + restart) + tor_stop + sleep 1 + tor_start + ;; - reload) - $TORCTL reload - ;; + reload) + tor_reload + ;; - status) - $TORCTL status - ;; + status) + tor_status + ;; - *) - echo "Usage: $0 (start|stop|restart|reload|status)" + *) + echo "Usage: $0 (start|stop|restart|reload|status)" esac diff --git a/network/tor/slack-desc b/network/tor/slack-desc index 3c630bdba6..5ec6f04069 100644 --- a/network/tor/slack-desc +++ b/network/tor/slack-desc @@ -7,9 +7,9 @@ |-----handy-ruler------------------------------------------------------| tor: tor (The second-generation onion router) -tor: -tor: Tor is a toolset for a wide range of organizations and people that -tor: want to improve their safety and security on the Internet. Using Tor +tor: +tor: Tor is a toolset for a wide range of organizations and people that +tor: want to improve their safety and security on the Internet. Using Tor tor: can help you anonymize web browsing and publishing, instant messaging, tor: IRC, SSH, and other applications that use the TCP protocol. Tor also tor: provides a platform on which software developers can build new diff --git a/network/tor/tor.SlackBuild b/network/tor/tor.SlackBuild index 2dd78ecb13..46a55b8ce6 100644 --- a/network/tor/tor.SlackBuild +++ b/network/tor/tor.SlackBuild @@ -24,7 +24,7 @@ PRGNAM=tor VERSION=0.2.1.30 -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} TAG=${TAG:-_SBo} # Select tor's default user/group @@ -111,7 +111,7 @@ chmod 0700 $PKG/var/lib/tor install -D -m 0755 $CWD/rc.tor $PKG/etc/rc.d/rc.tor.new install -D -m 0755 contrib/torctl $PKG/usr/bin/torctl install -D -m 0644 $CWD/logrotate.tor $PKG/etc/logrotate.d/tor.new -mv $PKG/etc/tor/torrc.sample $PKG/etc/tor/torrc.new +install -D -m 0644 $CWD/torrc $PKG/etc/tor/torrc.new mv $PKG/etc/tor/tor-tsocks.conf $PKG/etc/tor/tor-tsocks.conf.new find $PKG/usr/man -type f -exec gzip -9 {} \; diff --git a/network/tor/tor.info b/network/tor/tor.info index cbdca71192..f52c94f53f 100644 --- a/network/tor/tor.info +++ b/network/tor/tor.info @@ -7,4 +7,4 @@ DOWNLOAD_x86_64="" MD5SUM_x86_64="" MAINTAINER="Marco Bonetti" EMAIL="sid77@slackware.it" -APPROVED="rworkman" +APPROVED="dsomero" diff --git a/network/tor/torrc b/network/tor/torrc new file mode 100644 index 0000000000..577d169a3c --- /dev/null +++ b/network/tor/torrc @@ -0,0 +1,168 @@ +## Configuration file for a typical Tor user +## Last updated 12 April 2009 for Tor 0.2.1.14-rc. +## (May or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#torrc +## +## This is a custom Slackware torrc. The original Tor Project torrc file is +## still available as /etc/torrc/torrc.sample + + +## Replace this with "SocksPort 0" if you plan to run Tor only as a +## relay, and not make any local application connections yourself. +SocksPort 9050 # what port to open for local application connections +SocksListenAddress 127.0.0.1 # accept connections only from localhost +#SocksListenAddress 192.168.0.1:9100 # listen on this IP:port also + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests from SocksListenAddress. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/tor.log +Log notice file /var/log/tor/tor.log +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory /var/lib/tor + +## On startup, setuid to this user and setgid to their primary group. +User tor + +## On startup, write our PID to /var/run/tor/tor.pid. +## On clean shutdown, remove /var/run/tor/tor.pid. +PidFile /var/run/tor/tor.pid + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +#ORPort 9001 +## If you want to listen on a port other than the one advertised +## in ORPort (e.g. to advertise 443 but bind to 9090), uncomment the +## line below too. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORListenAddress 0.0.0.0:9090 + +## A handle for your relay, so people don't have to refer to it by key. +#Nickname ididnteditheconfig + +## The IP address or full DNS name for your relay. Leave commented out +## and Tor will guess. +#Address noname.example.com + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 KBytes. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB/s (1600Kbps) + +## Contact info to be published in the directory, so we can contact you +## if your relay is misconfigured or something else goes wrong. Google +## indexes this, so spammers might also collect it. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 1234D/FFFFFFFF Random Person + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you want to listen on a port other than the one advertised +## in DirPort (e.g. to advertise 80 but bind to 9091), uncomment the line +## below too. You'll need to do ipchains or other port forwarding yourself +## to make this work. +#DirListenAddress 0.0.0.0:9091 +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html for a sample. +#DirPortFrontPage /etc/tor/exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#MultipleServers +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy reject *:* # no exits allowed +# +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even if an +## ISP is filtering connections to all the known Tor relays, they probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +#BridgeRelay 1 +#ExitPolicy reject *:* + -- cgit v1.2.3