Update: There's a better Howto at the Tor Wiki. This here is history.

Howto install tor chrooted and unpriviledged on OpenBSD

tar xfz tor-...tar.gz
cd tor-...tar.gz
build a static binary so we don't have to worry about dynamic libs, loaders, etc. Tor will run chrooted and we're not bored enough to set up file system hierarchies, so:
env CFLAGS=-static ./configure --prefix=/
gmake
/var is mounted with -o nodev in many OpenBSD installations, and tor needs to write stuff, so the usual /var/empty will not do. We will create /tor . You can choose any other location, but the filesystem must allow executables and devices there.
export TORDIR=/tor # bourne-shell (sh/ksh/bash/zsh) sudo mkdir $TORDIR
WARNING: If you omit the export TORDIR, the following commands will fail or damage your system seriously, because they are executed as root on the root-directory / .
install it:
sudo gmake DESTDIR=$TORDIR install
tor uses /dev/*random for key creation, so it needs those (and then a few, like /dev/null):
sudo mkdir $TORDIR/dev cd $TORDIR/dev sudo sh /dev/MAKEDEV random sudo sh /dev/MAKEDEV std
remove unnecessary and potentially dangerous special files in $TORDIR/dev:
sudo rm drum ksyms kmem mem tty console klog xf86
I suggest to get tor's logs in /var/log/messages, so let's have syslog install a socket in tor's /dev upon restart:
sudo vi /etc/rc.conf.local
add a line syslogd_flags="-a $TORDIR/dev/log" but replace $TORDIR by the actual directory you chose (/tor in this example).
We'll not run tor as root, we create a special user _tor with group _tor, class daemon, no typeable password and nologin as shell (this creates the user in /etc/master.passwd)
sudo groupadd _tor sudo useradd -g _tor -d /nonexistent -L daemon \ -c '_tor anonymizer' -s /sbin/nologin _tor
The chrooted tor will never see /etc/master.passwd, so we have to provide a copy:
sudo touch $TORDIR/etc/master.passwd sudo grep "^_tor:" /etc/master.passwd | sudo dd of=$TORDIR/etc/master.passwd
The /etc/pwd.db and so forth are still missing:
sudo touch $TORDIR/etc/spwd.db $TORDIR/etc/pwd.db sudo pwd_mkdb -d $TORDIR/etc -u _tor $TORDIR/etc/master.passwd
(creates $TORDIR/etc/{passwd,master.passwd,pwd.db,spwd.db})
Provide a _tor group:
sudo touch $TORDIR/etc/group grep "^_tor:" /etc/group | sudo dd of=$TORDIR/etc/group
Create writable space and modify tor's config for our setup
sudo mkdir -p $TORDIR/var/tor sudo chown -R _tor:_tor $TORDIR/var sudo cp $TORDIR/etc/tor/torrc.sample $TORDIR/etc/tor/torrc sudo vi $TORDIR/etc/tor/torrc
add lines:
User _tor Group _tor Log notice syslog RunAsDaemon 1 DataDirectory /var/tor
restart syslog with an additional "-a $TORDIR/dev/log" (creates a socket to the syslog daemon)
Start tor to see if it works out:
sudo chroot $TORDIR /bin/tor -f /etc/tor/torrc
Look in /var/log/messages for lines from tor. If it seems to run allright,
install privoxy. Necessary because almost no browser correctly implements socks4a:
cd /usr/ports/www/privoxy; make ; sudo make install
Configure privoxy to forward everything through tor:
vi /etc/privoxy/config
search for the socks4a-forward section and add
forward-socks4a / localhost:9050 .
Start privoxy
sudo /usr/local/sbin/privoxy
configure your browser to use http://localhost:8118/ as proxy for everything. For lynx, it's sufficient to set http_proxy="http://127.0.0.1:9050/".
start sudo tcpdump -v port 80 in one terminal and start the browser in another (close all other running browsers, RSS-readers, wgets, etc.).
If it works, add startup code to /etc/rc.local:
if [ -x /tor/bin/tor ]; then chroot /tor/ /bin/tor echo -n ' tor'; fi
Finished. Thank you for your attention
Matthias Bauer <obsdtor@weggla·franken·org>
Feb 7 2005