From 5dfd80e1c5c9803a281804801592d191cf9148ae Mon Sep 17 00:00:00 2001 From: Chris Marusich Date: Sun, 22 Jul 2018 16:23:53 -0700 Subject: services: tor: Add a system test. * gnu/services/networking.scm (tor-configuration->torrc): Set PidFile to /var/run/tor/tor.pid in the base torrc configuration. (tor-shepherd-service) : Call make-forkexec-constructor/container with a new #:pid-file argument to tell Shepherd where to find the PID file. Add a a new to its existing #:mappings argument to share /var/run/tor with the the container. (tor-hidden-services-activation): Update docstring. Create /var/run/tor and set its permissions so only the tor user can access it. * gnu/tests/networking.scm (%test-tor, %tor-os): New variables. (run-tor-test): New procedure. --- gnu/services/networking.scm | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) (limited to 'gnu/services/networking.scm') diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index d5d0cf9d1d..66772e48b7 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -7,6 +7,7 @@ ;;; Copyright © 2017 Thomas Danckaert ;;; Copyright © 2017 Marius Bakke ;;; Copyright © 2018 Tobias Geerinckx-Rice +;;; Copyright © 2018 Chris Marusich ;;; ;;; This file is part of GNU Guix. ;;; @@ -612,6 +613,7 @@ demand."))) ### These lines were generated from your system configuration: User tor DataDirectory /var/lib/tor +PidFile /var/run/tor/tor.pid Log notice syslog\n" port) (for-each (match-lambda @@ -639,7 +641,7 @@ HiddenServicePort ~a ~a~%" #t)))))))) (define (tor-shepherd-service config) - "Return a running TOR." + "Return a running Tor." (match config (($ tor) (let ((torrc (tor-configuration->torrc config))) @@ -665,12 +667,17 @@ HiddenServicePort ~a ~a~%" (writable? #t)) (file-system-mapping (source "/dev/log") ;for syslog - (target source))))) + (target source)) + (file-system-mapping + (source "/var/run/tor") + (target source) + (writable? #t))) + #:pid-file "/var/run/tor/tor.pid")) (stop #~(make-kill-destructor)) (documentation "Run the Tor anonymous network overlay.")))))))) (define (tor-hidden-service-activation config) - "Return the activation gexp for SERVICES, a list of hidden services." + "Set up directories for Tor and its hidden services, if any." #~(begin (use-modules (guix build utils)) @@ -686,6 +693,15 @@ HiddenServicePort ~a ~a~%" ;; The daemon bails out if we give wider permissions. (chmod directory #o700))) + ;; Allow Tor to write its PID file. + (mkdir-p "/var/run/tor") + (chown "/var/run/tor" (passwd:uid %user) (passwd:gid %user)) + ;; Set the group permissions to rw so that if the system administrator + ;; has specified UnixSocksGroupWritable=1 in their torrc file, members + ;; of the "tor" group will be able to use the SOCKS socket. + (chmod "/var/run/tor" #o750) + + ;; Allow Tor to access the hidden services' directories. (mkdir-p "/var/lib/tor") (chown "/var/lib/tor" (passwd:uid %user) (passwd:gid %user)) (chmod "/var/lib/tor" #o700) -- cgit 1.4.1 From d973915e4842b8b1bfc2266ed42d3b8c2ca77e93 Mon Sep 17 00:00:00 2001 From: Chris Marusich Date: Wed, 25 Jul 2018 02:51:41 -0700 Subject: services: tor: Rename activation procedure. * gnu/services/networking.scm: Rename the procedure tor-hidden-service-activation to tor-activation. --- gnu/services/networking.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'gnu/services/networking.scm') diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 66772e48b7..b7f2bfe7b3 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -676,7 +676,7 @@ HiddenServicePort ~a ~a~%" (stop #~(make-kill-destructor)) (documentation "Run the Tor anonymous network overlay.")))))))) -(define (tor-hidden-service-activation config) +(define (tor-activation config) "Set up directories for Tor and its hidden services, if any." #~(begin (use-modules (guix build utils)) @@ -721,7 +721,7 @@ HiddenServicePort ~a ~a~%" (service-extension account-service-type (const %tor-accounts)) (service-extension activation-service-type - tor-hidden-service-activation))) + tor-activation))) ;; This can be extended with hidden services. (compose concatenate) -- cgit 1.4.1 From 3bcb305b98e02f6c9d98e7325813fc00f18f0e6c Mon Sep 17 00:00:00 2001 From: Chris Marusich Date: Tue, 31 Jul 2018 01:13:48 -0700 Subject: services: tor: Make it easier to use UNIX sockets. * doc/guix.texi (Networking Services): Document it, and mention that tor-service is deprecated. * gnu/services/networking.scm () : New field. (tor-configuration->torrc): When socks-socket-type is 'unix, set SocksPort to UNIX domain socket /var/run/tor/socks-sock and set UnixSocksGroupWritable to 1. * gnu/tests/networking.scm (%tor-os/unix-socks-socket): Instead of using a custom config file, just set socks-socket-type to 'unix. --- doc/guix.texi | 55 +++++++++++++++++++++++++++++++++++++++------ gnu/services/networking.scm | 10 +++++++-- gnu/tests/networking.scm | 8 +------ 3 files changed, 57 insertions(+), 16 deletions(-) (limited to 'gnu/services/networking.scm') diff --git a/doc/guix.texi b/doc/guix.texi index d2d278df47..3a3368b78f 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -11450,16 +11450,57 @@ detailed discussion of each configuration field. @end deftp @cindex Tor -@deffn {Scheme Procedure} tor-service [@var{config-file}] [#:tor @var{tor}] -Return a service to run the @uref{https://torproject.org, Tor} anonymous -networking daemon. +@defvr {Scheme Variable} tor-service-type +This is the type for a service that runs the @uref{https://torproject.org, +Tor} anonymous networking daemon. The service is configured using a +@code{} record. By default, the Tor daemon runs as the +@code{tor} unprivileged user, which is a member of the @code{tor} group. + +@end defvr -The daemon runs as the @code{tor} unprivileged user. It is passed -@var{config-file}, a file-like object, with an additional @code{User tor} line -and lines for hidden services added via @code{tor-hidden-service}. Run -@command{man tor} for information about the configuration file. +@deffn {Scheme Procedure} tor-service [@var{config-file}] [#:tor @var{tor}] +This procedure is deprecated and will be removed in a future release. Return +a service of the @code{tor-service-type} type. @var{config-file} and +@var{tor} have the same meaning as in @code{}. @end deffn +@deftp {Data Type} tor-configuration +@table @asis +@item @code{tor} (default: @code{tor}) +The package that provides the Tor daemon. This package is expected to provide +the daemon at @file{bin/tor} relative to its output directory. The default +package is the @uref{https://www.torproject.org, Tor Project's} +implementation. + +@item @code{config-file} (default: @code{(plain-file "empty" "")}) +The configuration file to use. It will be appended to a default configuration +file, and the final configuration file will be passed to @code{tor} via its +@code{-f} option. This may be any ``file-like'' object (@pxref{G-Expressions, +file-like objects}). See @code{man tor} for details on the configuration file +syntax. + +@item @code{hidden-services} (default: @code{'()}) +The list of @code{} records to use. For any hidden service +you include in this list, appropriate configuration to enable the hidden +service will be automatically added to the default configuration file. You +may conveniently create @code{} records using the +@code{tor-hidden-service} procedure described below. + +@item @code{socks-socket-type} (default: @code{'tcp}) +The default socket type that Tor should use for its SOCKS socket. This must +be either @code{'tcp} or @code{'unix}. If it is @code{'tcp}, then by default +Tor will listen on TCP port 9050 on the loopback interface (i.e., localhost). +If it is @code{'unix}, then Tor will listen on the UNIX domain socket +@file{/var/run/tor/socks-sock}, which will be made writable by members of the +@code{tor} group. + +If you want to customize the SOCKS socket in more detail, leave +@code{socks-socket-type} at its default value of @code{'tcp} and use +@code{config-file} to override the default by providing your own +@code{SocksPort} option. +@end table +@end deftp + @cindex hidden service @deffn {Scheme Procedure} tor-hidden-service @var{name} @var{mapping} Define a new Tor @dfn{hidden service} called @var{name} and implementing diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index b7f2bfe7b3..b6b5ee3fec 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -577,7 +577,9 @@ demand."))) (config-file tor-configuration-config-file (default (plain-file "empty" ""))) (hidden-services tor-configuration-hidden-services - (default '()))) + (default '())) + (socks-socket-type tor-configuration-socks-socket-type ; 'tcp or 'unix + (default 'tcp))) (define %tor-accounts ;; User account and groups for Tor. @@ -599,7 +601,7 @@ demand."))) (define (tor-configuration->torrc config) "Return a 'torrc' file for CONFIG." (match config - (($ tor config-file services) + (($ tor config-file services socks-socket-type) (computed-file "torrc" (with-imported-modules '((guix build utils)) @@ -615,6 +617,10 @@ User tor DataDirectory /var/lib/tor PidFile /var/run/tor/tor.pid Log notice syslog\n" port) + (when (eq? 'unix '#$socks-socket-type) + (display "\ +SocksPort unix:/var/run/tor/socks-sock +UnixSocksGroupWritable 1\n" port)) (for-each (match-lambda ((service (ports hosts) ...) diff --git a/gnu/tests/networking.scm b/gnu/tests/networking.scm index 7ca71f0c2c..381c5caf14 100644 --- a/gnu/tests/networking.scm +++ b/gnu/tests/networking.scm @@ -354,13 +354,7 @@ subnet 192.168.1.0 netmask 255.255.255.0 { (simple-operating-system (service tor-service-type (tor-configuration - (config-file - (plain-file "test-torrc" - "\ -SocksPort unix:/var/run/tor/socks-sock -UnixSocksGroupWritable 1 -") - ))))) + (socks-socket-type 'unix))))) (define (run-tor-test) (define os -- cgit 1.4.1