This is the Debian package for Tor, The Onion Router. # Startup and Configuration If Tor is started by init, it loads the configuration snippets from /usr/share/tor/tor-service-defaults-torrc before consulting /etc/tor/torrc. The tor-service-defaults-torrc file tells Tor to run as daemon, create pidfile, sets its data directory and configures cookie authentication. If Tor is started not from the init script, then it will behave like upstream's Tor. # Multiple instances As of 0.2.7.4, the package supports running multiple instances of Tor under systemd. Please consult the tor-instance-create(8) manpage for details. # Filesystem access by the Tor service Note that due to systemd and apparmor protections, the places on the filesystem which the tor process can access is limited. (See the service files [1] for details.) As such, hidden service directories should be created in subdirectories below Tor's DataDirectory [2]. ## Onion services using UNIX domain sockets Tor's onion services can access their backends not only via TCP but also via UNIX domain sockets (see also the tor(1) manpage). UNIX domain sockets are not currently covered by filesystem restrictions from systemd and apparmor. As such, they can be put anywhere as long as the filesystem namespace is visible. In particular, this means /home does not not work by default, but anything under /var should. It is suggested that sockets be placed in a special directory under /var/lib [3]. Note that while systemd and apparmor do not currently limit access to to sockets, you still need to ensure that the Tor process may access them according to the default UNIX file and directory permissions. Example: The backend is run by user webfu. The default Tor instance should be able to access the socket. . The admin creates the directory /var/lib/tor-onion-sockets/default/webfu/ and makes it mode 02750 owned by webfu:debian-tor. Then she configures the backend service to create the socket in this directory and configures Tor to use that socket. The socket should be read and writable by the tor process as well, so it should be either g+rw when its group can be debian-tor, or a+rw when not. 1: /lib/systemd/system/tor@default.service and /lib/systemd/system/tor@.service 2: /var/lib/tor and /var/lib/tor-instances/ 3: /var/lib/tor-onion-sockets/default and /var/lib/tor-onion-sockets/ 4: https://bugs.debian.org/846275 -- Peter Palfrader, Mon, 24 Jul 2006 05:20:30 +0200 Sat, 23 Feb 2008 13:44:40 +0100 Wed, 11 Jan 2012 21:31:44 +0100 Mon, 19 Oct 2015 18:21:24 +0200 Mon, 19 Dec 2016 09:56:05 +0100