If bitcoind and tor run as different users bitcoind cannot authenticate with tor control

[nathaniel-mahieu]

If bitcoind and tor run as different users, bitcoind cannot authenticate with tor control.

This can be resolved by adding the user running bitcoind to the user group of the tor user (in my case debian-tor).

Logs indicate permission issues with the authcookie.

tor: Authentication cookie /var/run/tor/control.authcookie could not be opened (check permissions)

Using hashedpassword authentication did not resolve this issue because at some point it fell back to the cookie method as well.

I'm not sure this is exactly a bug, but it was challenging for me to figure out the solution to the issue. If this isn't a bug would it be appropriate for me to add documentation of this to the tor readme?

[sipa]

Sounds like something to add to the documentation.

[luke-jr]

IMO we should definitely NOT recommend running bitcoind and tor as the same user. Same group would make sense to document.

[laanwj]

In this case you should set up permissions that the cookie file is readable by your bitcoind user, or use hashed password authentication .

IMO we should definitely NOT recommend running bitcoind and tor as the same user. Same group would make sense to document.

Agree, there's no need to change the users nor groups that programs run on here. That'd remove a level of isolation that could help security. They just need to be able to communicate.

Using hashedpassword authentication did not resolve this issue because at some point it fell back to the cookie method as well.

#7703 fixes this (or as workaround: disable cookie auth in tor).

[laanwj]

Closing as #7703 is merged

[nathaniel-mahieu]

Hello all,

Sorry I was away from communication for a week. I'd still like to document how to get cookie auth working or note not to use cookie auth in the tor documentation.

@laanwj, you mention a more appropriate solution - an alternative to adding the bitcoind user to the tor group. Is that to create a "tor-cookie" group, add both users to that group, and chown the cookie file? As far as I'm aware, that cookie is destroyed and generated programmatically and I'm not sure how to set appropriate permissions that will persist.

[laanwj]

As far as I'm aware, that cookie is destroyed and generated programmatically and I'm not sure how to set appropriate permissions that will persist.

Ideally Tor would have a configuration option to set up permissions for the cookie file accordingly. I don't know if that's the case though.

Adding the user to the tor group may indeed be most practical option. Having access to Tor's control socket pretty much gives full control over tor, anyhow. I don't think having the group grants all that much more permission? Or does it?

And at least mentioning the alternative of using password authentication makes sense, along with a link to Tor's (excellent) own documentation how to do so.