Contents
but should work on any linux distribution.
It will explain the compilation, installation and configuration of Tor on a linux-system. It will result in a Tor-Installation which will be run in a chroot-environment by the special user tor. The homefolder of this user will be /home/tor and the path of the chroot-environment will be /home/tor/chroot. Tor itself will be installed to /home/tor/chroot/tor and its configuration-file will be in /home/tor/chroot/tor/etc/tor/torrc.
This so installed Tor will be able to work as a Tor-client and/or server.
Installation
First you need to get a copy of the latest Source tarballs of Tor and unpack it:
wget http://www.torproject.org/dist/tor-0.2.0.35.tar.gz.asc wget http://www.torproject.org/dist/tor-0.2.0.35.tar.gz gpg tor-0.2.0.35.tar.gz.asc tar -xzvf tor-0.2.0.35.tar.gz
Now you can configure and compile it:
cd tor-0.2.0.35 ./configure --prefix=/tor make
Next you should create a special user which will later run the tor process. On debian or debian-based distributions you can create the user with:
sudo adduser --disabled-login --gecos "Tor user,,," tor
On other distributions with other adduser implementations the above could fail. If so you can take a look at the man-page of your adduser command or use the low-level useradd command to create it:
sudo useradd -d /home/tor -s /bin/false tor
After that we move the compiled tor-version to the chroot-directory:
TORCHROOT=/home/tor/chroot sudo mkdir -p $TORCHROOT sudo make install prefix=$TORCHROOT/tor exec_prefix=$TORCHROOT/tor
Chroot-Setup
Shared libraries
We need to copy all libaries which tor needs into the chroot-environment. Tor needs libevent which might be available in your distribution with the packages: libevent1 and libevent-dev or just libevent. If it's not available for your distribution compile it from source: http://www.monkey.org/~provos/libevent/ . If you have the libevent go on to copy over the required libraries:
sudo mkdir $TORCHROOT/lib
sudo cp `ldd $TORCHROOT/tor/bin/tor | awk '{print $3}'|grep "^/"` $TORCHROOT/lib
sudo cp /lib/libnss* /lib/libnsl* /lib/ld-linux.so.2 /lib/libresolv* /usr/lib/libnss3.so /usr/lib/libgcc_s.so.* $TORCHROOT/lib
Device nodes
Tor needs access to /dev/(u)random and /dev/null if run as a daemon so you need to create them in the chroot-environment:
sudo mkdir $TORCHROOT/dev sudo mknod -m 644 $TORCHROOT/dev/random c 1 8 sudo mknod -m 644 $TORCHROOT/dev/urandom c 1 9 sudo mknod -m 666 $TORCHROOT/dev/null c 1 3
Configuration files
Now some files which are needed by some functions are copied into the chroot-environment:
sudo mkdir $TORCHROOT/etc sudo sh -c "grep ^tor /etc/passwd > $TORCHROOT/etc/passwd" sudo sh -c "grep ^tor /etc/group > $TORCHROOT/etc/group" sudo cp /etc/nsswitch.conf /etc/host.conf /etc/resolv.conf /etc/hosts $TORCHROOT/etc sudo cp /etc/localtime $TORCHROOT/etc
Tor-Configration
We need to copy a tor-configuration-skeleton on its place in the chroot:
sudo cp $TORCHROOT/tor/etc/tor/torrc.sample $TORCHROOT/tor/etc/tor/torrc
Since chroot needs to be run as root, but Tor does not we configure Tor to drop its privileges after start. With adding the following line into the $TORCHROOT/tor/etc/tor/torrc file:
User tor
we tell Tor to drop its privileges to the user with the name tor. We also have to enable the data-directory explicitly:
DataDirectory /var/lib/tor2
tell Tor where to look for 'geoip' for ip-to-country lookups:
GeoIPFile /tor/share/tor/geoip
and should configure the Pid-and Log-file:
PidFile /var/run/tor/tor.pid Log notice file /var/log/tor/log
These directories need to be created and owned by the user who shall run Tor:
sudo mkdir -p $TORCHROOT/var/run/tor sudo mkdir -p $TORCHROOT/var/lib/tor sudo mkdir -p $TORCHROOT/var/lib/tor2 sudo mkdir -p $TORCHROOT/var/log/tor sudo chown tor:tor $TORCHROOT/var/run/tor sudo chown tor:tor $TORCHROOT/var/lib/tor sudo chown tor:tor $TORCHROOT/var/log/tor
Testing
You are now ready with setting up a Tor-Installation in a chroot environment and can start that tor-instance with:
sudo chroot $TORCHROOT /tor/bin/tor
This should produce the following output:
Apr 10 11:42:22.466 [notice] Tor v0.2.0.35 . This is experimental software. Do not rely on it for strong anonymity. (Running on Linux i686) Apr 10 11:42:22.477 [notice] Initialized libevent version 1.4.8-stable using method epoll. Good. Apr 10 11:42:22.479 [notice] Opening Socks listener on 127.0.0.1:9050
You can abort it now again with pressing CTRL+c on your keyboard. As last adivce you should add:
RunAsDaemon 1
to your Tor-configuration. This is specially needed by some of the following init-Scripts.
You are now finished and can configure your tor-chroot installation in the file /home/tor/chroot/tor/etc/tor/torrc like setting it up as a relay and so..
Starting on boot
This part is quite distribution specific, but modifications to the given init-scripts should be applicable to other Linux distributions and *nix operating systems.
Here are init-scripts which allow it easily to start the tor-chroot installation on boot.
Archlinux
Move the following file to /etc/rc.d/ and give it a name you like, eg: tor-chroot. After that you can start and stop tor with:
sudo /etc/rc.d/tor-chroot start|stop|restart
To make it autostart on boottime add tor-chroot to the DAEMONS list in your /etc/rc.conf.
Init-Script:
. /etc/rc.conf
. /etc/rc.d/functions
TORCHROOT=/home/tor/chroot
# Relative to TORCHROOT:
TORPATH=/tor/bin/tor
PID=`pidof -o %PPID $TORPATH`
case "$1" in
start)
stat_busy "Starting Tor Daemon"
[ -z "$PID" ] && /usr/sbin/chroot $TORCHROOT $TORPATH &>/dev/null
if [ $? -gt 0 ]; then
stat_fail
else
add_daemon tor
stat_done
fi
;;
stop)
stat_busy "Stopping Tor Daemon"
[ ! -z "$PID" ] && kill $PID &> /dev/null
if [ $? -gt 0 ]; then
stat_fail
else
rm_daemon tor
stat_done
fi
;;
restart)
$0 stop
sleep 3
$0 start
;;
*)
echo "usage: $0 {start|stop|restart}"
esac
exit 0
# vim: ft=sh ts=2 sw=2
Debian
This downloads some modifications to Debian's offical Tor init script and a small wrapper which will perform the chroot. The scripts are not on the wiki so that they are not maliciously modified:
sudo wget -O /etc/init.d/tor http://www.cl.cam.ac.uk/users/sjm217/projects/tor/tor.init sudo wget -O /etc/default/tor http://www.cl.cam.ac.uk/users/sjm217/projects/tor/tor.default sudo wget -O $TORCHROOT/tor/bin/tor-chroot http://www.cl.cam.ac.uk/users/sjm217/projects/tor/tor-chroot sudo chmod 755 /etc/init.d/tor /etc/default/tor $TORCHROOT/tor/bin/tor-chroot
After that you can start and stop tor with:
sudo /etc/init.d/tor start|stop|restart|reload|force-reload
Running update-rc.d will set up the start and stop links in the correct runlevel directories to make it autostart while booting:
sudo update-rc.d tor defaults 19
Updating Tor
If a new version of Tor is released and you want to update your Tor-Installation in the chroot just do the following. Download the new version and unpack it. After that you need to configure it the same way you did with the first installation and compile it:
./configure --prefix=/tor make
And now you just have to install it to the correct place:
TORCHROOT=/home/tor/chroot sudo make install prefix=$TORCHROOT/tor exec_prefix=$TORCHROOT/tor
That's it.
Final Notes
Presumably torify will be run outside of the chroot, but its config file location is set to be relative to the chroot by ./configure. I can't think of any neat way to fix this.
The library situation is a bit fragile. There may be some other libraries, like libnss_compat which don't show up in ldd but are required. The above has been tested for running as client and server and should work with them for the given tor-version. Later tor-versions may need other files and libraries.
If you put shared libraries outside of /lib and /usr/lib you need to set LD_LIBRARY_PATH, but sudo drops the LD* environment variables for security reasons. If you want to put libraries in, say /tor/lib, you need something like: sudo su -c "export LD_LIBRARY_PATH=/tor/lib; chroot $TORCHROOT /local/bin/tor"
On http://northernsecurity.net/download/ you can find some ready-to-go scripts to install tor in a chroot-environment, which have been claimed to have been tested working on Ubuntu Hardy.