Page MenuHomePhabricator

research non-persistent entry guards
Closed, ResolvedPublic

Description

older info:

update:

Number of entry guards was reduced to 1 since then. (As per changelog.)

see also:

TODO:

  • Under the new situation of reduced number of default entry guards, ask the above questions again to see if situation has changed.

Documentation could explain how to stop the Tor service; wipe Tor's data dir; start Tor service; connect.

Editing /etc/tor/torrc by adding the following could do the trick.

DataDirectory /var/run/tor

After every reboot, Tor would use new entry guards. Maybe extra AppArmor rules would be required.

Details

Impact
Needs Triage

Event Timeline

JasonJAyalaP raised the priority of this task from to Normal.
JasonJAyalaP updated the task description. (Show Details)

Adding DataDirectory /var/run/tor to /etc/tor/torrc could do the trick. After every reboot, Tor would use new entry guards. Maybe extra AppArmor rules would be required.

So, first, we need someone to study and test this and report back.

/var/lib/tor is owned by user/group debian-tor.
/var/run/tor is owned by user/group root.
Therefore using DataDirectory /var/run/tor in /etc/tor/torrc would maybe not be a great idea. (Would lead to permission issue.)

Must be some non-persistent folder owned by user/group debian-tor.

Patrick renamed this task from Document non-persistent entry guards to research non-persistent entry guards.Jan 17 2015, 1:27 AM
Patrick updated the task description. (Show Details)
Patrick added a project: research.
Patrick updated the task description. (Show Details)
Patrick added a subscriber: HulaHoop.
Patrick updated the task description. (Show Details)Jun 21 2015, 2:13 PM
Patrick set Impact to Needs Triage.
Patrick updated the task description. (Show Details)Jun 21 2015, 2:25 PM
Patrick updated the task description. (Show Details)Jun 21 2015, 2:34 PM
HulaHoop added a comment.EditedJun 21 2015, 9:53 PM

A script on boot up that runs

chgrp -R debian-tor /var/run/tor

can do it?

http://ss64.com/bash/chgrp.html

Seems like on jessie there is no permission issue anymore. /var/run/tor is owned by user/group debian-tor by default. Check /etc/init.d/tor function check_torpiddir. Therefore /etc/tor/torrc setting DataDirectory /var/run/tor works out of the box in Whonix 11.

[/usr/lib/whonixcheck/check_tor_pid](https://github.com/Whonix/whonixcheck/blob/master/usr/lib/whonixcheck/check_tor_pid) in whonixcheck needs a patch. That whonixcheck test fails because it's hardcoded to /var/run/tor/tor.pid. For Whonix 11 purposed you could add to documentation to skip this test then.*

*(Somewhat documented in /etc/whonix.d/30_whonixcheck_default. Create a file /etc/whonix.d/50_user with content whonixcheck_skip_functions+=" check_tor_pid ".)

Where to add this? Not sure where this fits best.

Maybe on https://www.whonix.org/wiki/Tor?

Yes I added it there.

Good work! Added to https://www.whonix.org/wiki/Documentation. Moved/incorporated Tor chapter from https://www.whonix.org/wiki/Advanced_Security_Guide#Tor to https://www.whonix.org/wiki/Tor. Made some changes.

On https://www.whonix.org/wiki/Documentation the page https://www.whonix.org/wiki/Tor is listed under advanced topics. Non-ideal. Too buried. Not something regular users read.

What about making https://www.whonix.org/wiki/Tor#Introduction a template (https://www.whonix.org/wiki/Template:Persistent_Entry_Guards_Introduction), and adding a new chapter to the https://www.whonix.org/wiki/Warning page 'Guard Relays can make you fingerprintable Across Different Physical Locations' or so? (Is "fingerprintable" the right term here?) What do you think? Could you do that please?