Best Practices for Configuring Nyx Access on OpenBSD?

Support Relay Operator
1

Hi friends,

I just configured Nyx to run as a normal user on OpenBSD, and I am looking for feedback on the security of my approach and suggestions for any better alternatives.

Setup:

  • Nyx 2.1.0
  • Tor 0.4.8.10 (CookieAuthentication 1 in torrc)
  • OpenBSD 7.5

Problem:

Nyx will run as root, but as a normal user I got the following error:

$ nyx
We were unable to read Tor's authentication cookie...

  Path: /var/tor/control_auth_cookie
  Issue: Authentication failed: '/var/tor/control_auth_cookie' doesn't exist

I added my user to the _tor group, but it turns out only the _tor user itself can read this file.

# ls -l /var/tor/control_auth_cookie
-rw-------  1 _tor  _tor    32B Apr 27 03:30 /var/tor/control_auth_cookie

Solution:

I added read permission to the file for the group and then read and execute permissions to the parent directory to allow group members access:

# chmod g+r /var/tor/control_auth_cookie
# chmod g+rx /var/tor

Now, my normal user can run Nyx, and can list the directory contents of /var/tor, and read control_auth_cookie. I checked to see if the other files and directories (like /var/tor/keys) were accessible, and they are not.

Questions:

Was this the best way to go about things? What might the adverse consequences be? Is there a better way? (I thought an alternative would be to configure doas to run Nyx as the _tor user, but I wasn’t sure about that either.)

Thanks for any insights or suggestions!

1 Like
2

Hey friends, I just wanted to give an update on this. The method above doesn’t work because the Tor process resets the permissions for /var/tor automatically after about a day.

# grep -i /var/tor /var/log/messages
Tor[72495]: Fixing permissions on directory /var/tor

However, it turns out there are some torrc options to achieve the same thing :

CookieAuthFileGroupReadable     1
CookieAuthFile                  /var/tor/control_auth_cookie
DataDirectoryGroupReadable      1

It seems to work for me so far. I will update if the permissions get reset again.

Another thing I did was configure doas so that my normal user puffy can execute the nyx command as the _tor user. You can do this by adding the following line to /etc/doas.conf (create the file if it doesn’t exist already):

permit nopass puffy as _tor cmd nyx

Then you can run nyx with

$ doas -u _tor nyx

I am not sure which of these two approaches is better though.

1 Like