Help - Torrc ORPort permission errors

yummy_onion · January 13, 2025, 3:04am

My IP is IPv4 only.

When I enter ORPort 443 or ORPort 443 IPv4Only, I get these errors:

[warn] No permission to set capabilities pre-setuid: Permission denied

[warn] Failed to parse/validate config: Problem with User value. See logs for details.

ORPort auto eventually gives the error Unable to find IPv6 address for ORPort <port #> and suggests setting IPv4Only. How can I fix this?

atari · January 13, 2025, 6:36am

When running tor on 443 you’ll need elevated privileges for opening that port.

On Unix-like operating systems, a process must execute with superuser privileges to be able to bind a network socket to an IP address using one of the well-known ports

→ List of TCP and UDP port numbers - Wikipedia

Enable logging or see enabled logs for the second warning
[warn] Failed to parse/validate config: Problem with User value. See logs for details.

→ Log notice file /var/log/tor/notices.log ← might need to be adapted to a folder you are allowed to read and write

ORPort auto IPv4Only ← should work (actually never tried on my own)

yummy_onion · January 13, 2025, 12:38pm

Entering sudo journalctl returns dozens of thousands log lines and searching “User value” in the terminal search doesn’t return any results. Any idea on a specific item to search or would a reboot help narrow it down?

might need to be adapted to a folder you are allowed to read and write

How would I do that?

ORPort auto IPv4Only is still testing, will check after work.

By the way, I already ran echo 'net.ipv4.ip_unprivileged_port_start=433' > /etc/sysctl.d/50-unprivileged-ports.conf and rebooted but the permission error didn’t stop. I opened /etc/sysctl.d/50-unprivileged-ports.conf and its only entry is et.ipv4.ip_unprivileged_port_start=433

atari · January 13, 2025, 1:07pm

Guess you are running fedora? journalctl --unit tor might help

You have to edit your torrc accordingly.

yummy_onion · January 13, 2025, 3:32pm

That’s where I had gotten those error snippits from. I can provide the complete results later today.

Also, what entry/edit do you recommend I make in torrc to adapt a folder that I can read and write to?

atari · January 13, 2025, 3:48pm

This depends on the user tor is running with. The user used to run tor should be able to read and write to that folder. You might use /tmp for debugging - but make sure to change it later…

yummy_onion · January 13, 2025, 4:03pm

I’ve only been logging in as root. How can I make sure that that’s the user running it?

atari · January 13, 2025, 4:09pm

ps aux | grep tor

But you should not run tor as root.

yummy_onion · January 14, 2025, 12:49am

This was my output:

[root@fedora-39 ~]# ps aux | grep tor
toranon     4832  1.2 35.7 455500 347512 ?       Ssl  12:48   8:06 /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc
root        8469  0.0  0.2   6500  2188 pts/0    S+   23:39   0:00 grep --color=auto tor

I’ve created an unprivileged user named matchless849 . What would be the simplest way to set Tor to run on that unprivileged user?

Protium_serratum · January 14, 2025, 2:27am

@yummy_onion
If you write Log notice file FILENAME in the torrc, tor will send log messages to the listed filename; if you write Log notice syslog in the torrc, tor will send log messages to the system log, on Fedora you can use journalctl to read these log messages.
https://manpages.debian.org/jessie/tor/torrc.5

I guess you followed atari’s advice (Log notice file /var/log/tor/notices.log), but tried reading the log with journalctl.

yummy_onion · January 14, 2025, 6:20am

I set ORPort auto IPv4Onlyaround 12:30 UTC today and haven’t restarted Tor service. journalctl --unit tor indicates that it is running successfully. We’re making progress!
Now what’s left now is to get it to run on port 443 and on the unprivileged user.

atari · January 14, 2025, 6:20am

yummy_onion:

[root@fedora-39 ~]# ps aux | grep tor
toranon     4832  1.2 35.7 455500 347512 ?       Ssl  12:48   8:06 /usr/bin/tor --runasdaemon 0 --defaults-torrc /usr/share/tor/defaults-torrc -f /etc/tor/torrc
root        8469  0.0  0.2   6500  2188 pts/0    S+   23:39   0:00 grep --color=auto tor

If you want to continue using this user you have to make sure the user is able to read/write the corresponding folders.

Assuming you are using default paths:

chown -R toranon:toranon /var/log/tor
chown -R toranon:toranon /var/lib/tor

yummy_onion · January 14, 2025, 6:20am

I’ve uncommented Log notice file /var/log/tor/notices.log and ran journalctl but had trouble reaching the latest logs. I used the find feature in terminal but the results seemed incomplete and the same as what journalctl --unit torreturns. So ran journalctl --unit torand this is the last part of it. It seems to be running properly and the Relay Search says so as well; now I just need to get it to run on an unprivileged user and on port 443 (as my other pending response indicates).

Jan 13 12:49:08 fedora-39.servers.guru Tor[4832]: Performing bandwidth self-test...done.
Jan 13 18:49:01 fedora-39.servers.guru Tor[4832]: Heartbeat: Tor's uptime is 6:00 hours, with 4 circuits open. I've sent 99.95 MB and received 99.39 MB. I've received 5311 connections on IP>
Jan 13 18:49:01 fedora-39.servers.guru Tor[4832]: While not bootstrapping, fetched this many bytes: 5500810 (server descriptor fetch); 1593 (server descriptor upload); 923262 (consensus net>
Jan 13 18:49:01 fedora-39.servers.guru Tor[4832]: Circuit handshake stats since last time: 0/0 TAP, 6485/6485 NTor.
Jan 13 18:49:01 fedora-39.servers.guru Tor[4832]: Since startup we initiated 0 and received 0 v1 connections; initiated 0 and received 0 v2 connections; initiated 0 and received 0 v3 connec>
Jan 13 18:49:01 fedora-39.servers.guru Tor[4832]: Heartbeat: DoS mitigation since startup: 0 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 0 marked addresses>
Jan 14 00:49:01 fedora-39.servers.guru Tor[4832]: Heartbeat: Tor's uptime is 12:00 hours, with 1 circuits open. I've sent 205.41 MB and received 201.89 MB. I've received 11488 connections o>
Jan 14 00:49:01 fedora-39.servers.guru Tor[4832]: While not bootstrapping, fetched this many bytes: 10438490 (server descriptor fetch); 2133 (server descriptor upload); 1215682 (consensus n>
Jan 14 00:49:01 fedora-39.servers.guru Tor[4832]: Circuit handshake stats since last time: 0/0 TAP, 7935/7935 NTor.
Jan 14 00:49:01 fedora-39.servers.guru Tor[4832]: Since startup we initiated 0 and received 0 v1 connections; initiated 0 and received 0 v2 connections; initiated 0 and received 0 v3 connec>
Jan 14 00:49:01 fedora-39.servers.guru Tor[4832]: Heartbeat: DoS mitigation since startup: 0 circuits killed with too many cells, 0 circuits rejected, 0 marked addresses, 0 marked addresses>

Protium_serratum · January 14, 2025, 11:37am

Please read the manuals of journalctl and less.

$ man journalctl
       …
       The output is paged through less by default, and long lines are
       "truncated" to screen width. The hidden part can be viewed by using the
       left-arrow and right-arrow keys. Paging can be disabled; see the
       --no-pager option and the "Environment" section below.
       …

$ man less
       …
       UPARROW [ ESC-k ]
              Retrieve  the  previous  command  line.  If you first enter some
              text and then press UPARROW, it will retrieve the previous  com‐
              mand which begins with that text.

       DOWNARROW [ ESC-j ]
              Retrieve  the  next  command line.  If you first enter some text
              and then press DOWNARROW, it  will  retrieve  the  next  command
              which begins with that text.
       …