If bitcoind and tor run as different users bitcoind cannot authenticate with tor control #8145

issue nathaniel-mahieu opened this issue on June 3, 2016
  1. nathaniel-mahieu commented at 5:23 PM on June 3, 2016: contributor

    If bitcoind and tor run as different users, bitcoind cannot authenticate with tor control.

    This can be resolved by adding the user running bitcoind to the user group of the tor user (in my case debian-tor).

    Logs indicate permission issues with the authcookie.

    tor: Authentication cookie /var/run/tor/control.authcookie could not be opened (check permissions)

    Using hashedpassword authentication did not resolve this issue because at some point it fell back to the cookie method as well.

    I'm not sure this is exactly a bug, but it was challenging for me to figure out the solution to the issue. If this isn't a bug would it be appropriate for me to add documentation of this to the tor readme?

  2. sipa commented at 5:50 PM on June 3, 2016: member

    Sounds like something to add to the documentation.

  3. MarcoFalke added the label Docs and Output on Jun 3, 2016
  4. luke-jr commented at 6:32 PM on June 3, 2016: member

    IMO we should definitely NOT recommend running bitcoind and tor as the same user. Same group would make sense to document.

  5. laanwj commented at 6:07 AM on June 6, 2016: member

    In this case you should set up permissions that the cookie file is readable by your bitcoind user, or use hashed password authentication .

    IMO we should definitely NOT recommend running bitcoind and tor as the same user. Same group would make sense to document.

    Agree, there's no need to change the users nor groups that programs run on here. That'd remove a level of isolation that could help security. They just need to be able to communicate.

    Using hashedpassword authentication did not resolve this issue because at some point it fell back to the cookie method as well.

    #7703 fixes this (or as workaround: disable cookie auth in tor).

  6. laanwj commented at 2:42 PM on June 8, 2016: member

    Closing as #7703 is merged

  7. laanwj closed this on Jun 8, 2016
  8. nathaniel-mahieu commented at 4:09 PM on June 13, 2016: contributor

    Hello all,

    Sorry I was away from communication for a week. I'd still like to document how to get cookie auth working or note not to use cookie auth in the tor documentation. @laanwj, you mention a more appropriate solution - an alternative to adding the bitcoind user to the tor group. Is that to create a "tor-cookie" group, add both users to that group, and chown the cookie file? As far as I'm aware, that cookie is destroyed and generated programmatically and I'm not sure how to set appropriate permissions that will persist.

  9. laanwj commented at 9:21 AM on June 14, 2016: member

    As far as I'm aware, that cookie is destroyed and generated programmatically and I'm not sure how to set appropriate permissions that will persist.

    Ideally Tor would have a configuration option to set up permissions for the cookie file accordingly. I don't know if that's the case though.

    Adding the user to the tor group may indeed be most practical option. Having access to Tor's control socket pretty much gives full control over tor, anyhow. I don't think having the group grants all that much more permission? Or does it?

    And at least mentioning the alternative of using password authentication makes sense, along with a link to Tor's (excellent) own documentation how to do so.

  10. MarcoFalke locked this on Sep 8, 2021
Contributors
nathaniel-mahieusipaluke-jrlaanwj
Labels
Docs
Linked (view graph)
#8203 Clarify documentation for running a tor node
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-15 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me