Update: There's a better Howto at
the Tor Wiki. This here is history.
Howto install tor chrooted and unpriviledged on OpenBSD
-
tar xfz tor-...tar.gz
-
cd tor-...tar.gz
- build a static binary so we don't have to worry
about dynamic libs, loaders, etc. Tor will run
chrooted and we're not bored enough to set up
file system hierarchies, so:
env CFLAGS=-static ./configure --prefix=/
-
gmake
-
/var
is mounted with -o nodev
in many OpenBSD
installations, and tor needs to write stuff,
so the usual /var/empty
will not do. We will
create /tor
. You can choose any other location,
but the filesystem must allow executables and
devices there.
export TORDIR=/tor # bourne-shell (sh/ksh/bash/zsh)
sudo mkdir $TORDIR
WARNING: If you omit the export TORDIR
, the
following commands will fail or damage your system seriously, because they
are executed as root
on the root-directory /
.
- install it:
sudo gmake DESTDIR=$TORDIR install
- tor uses
/dev/*random
for key creation, so it
needs those (and then a few, like /dev/null
):
sudo mkdir $TORDIR/dev
cd $TORDIR/dev
sudo sh /dev/MAKEDEV random
sudo sh /dev/MAKEDEV std
- remove unnecessary and potentially dangerous special files in
$TORDIR/dev
:
sudo rm drum ksyms kmem mem tty console klog xf86
- I suggest to get tor's logs in
/var/log/messages
,
so let's have syslog
install a socket in tor's
/dev
upon restart:
sudo vi /etc/rc.conf.local
add a line
syslogd_flags="-a $TORDIR/dev/log"
but replace $TORDIR
by the actual directory you chose (/tor
in this example).
- We'll not run tor as root, we create a special user
_tor
with group _tor
, class daemon
, no typeable password and
nologin
as shell (this creates the user in
/etc/master.passwd
)
sudo groupadd _tor
sudo useradd -g _tor -d /nonexistent -L daemon \
-c '_tor anonymizer' -s /sbin/nologin _tor
- The chrooted tor will never see
/etc/master.passwd
,
so we have to provide a copy:
sudo touch $TORDIR/etc/master.passwd
sudo grep "^_tor:" /etc/master.passwd | sudo dd of=$TORDIR/etc/master.passwd
- The /etc/pwd.db and so forth are still missing:
sudo touch $TORDIR/etc/spwd.db $TORDIR/etc/pwd.db
sudo pwd_mkdb -d $TORDIR/etc -u _tor $TORDIR/etc/master.passwd
(creates $TORDIR/etc/{passwd,master.passwd,pwd.db,spwd.db}
)
- Provide a
_tor
group:
sudo touch $TORDIR/etc/group
grep "^_tor:" /etc/group | sudo dd of=$TORDIR/etc/group
- Create writable space and modify tor's config for our setup
sudo mkdir -p $TORDIR/var/tor
sudo chown -R _tor:_tor $TORDIR/var
sudo cp $TORDIR/etc/tor/torrc.sample $TORDIR/etc/tor/torrc
sudo vi $TORDIR/etc/tor/torrc
add lines:
User _tor
Group _tor
Log notice syslog
RunAsDaemon 1
DataDirectory /var/tor
- restart
syslog
with an additional
"-a $TORDIR/dev/log"
(creates a socket to the syslog daemon)
- Start tor to see if it works out:
sudo chroot $TORDIR /bin/tor -f /etc/tor/torrc
- Look in
/var/log/messages
for lines from tor.
If it seems to run allright,
- install
privoxy
. Necessary because almost no browser
correctly implements socks4a:
cd /usr/ports/www/privoxy; make ; sudo make install
- Configure privoxy to forward everything through tor:
vi /etc/privoxy/config
search for the socks4a-forward section and add
forward-socks4a / localhost:9050 .
- Start
privoxy
sudo /usr/local/sbin/privoxy
- configure your browser to use
http://localhost:8118/
as
proxy for everything. For lynx
, it's sufficient to
set http_proxy="http://127.0.0.1:9050/"
.
- start
sudo tcpdump -v port 80
in one terminal
and start the browser in another (close all other running browsers,
RSS-readers, wget
s, etc.).
- If it works, add startup code to /etc/rc.local:
if [ -x /tor/bin/tor ]; then
chroot /tor/ /bin/tor
echo -n ' tor';
fi
- Finished. Thank you for your attention
Matthias Bauer <obsdtor@weggla·franken·org>
Feb 7 2005