Add groups or not

Support
1

For example, I have the tor installed and I activated the tor. When it is installed, a group will be added to the name of the tor
What is the difference between adding tor to groups or not?
What is the advantage if the tor is added to the groups?
Because it works well without adding it
Or like vbox, which works well for me, is there an advantage to becoming a member of the vbox group?

2

In short: Groups are part of permissions. Adding a group to your account gives you the ability run specific tasks with root privileges, where you would need full root privileges. That is a small part of the linux security model.

You cannot run tor without root, so adding the tor group to your account gives you the ability to run tor on that specific user account. Same vor vbox, but here it is different: When you pass-though usb devices to the virtual machine, then it needs root permissions. The vbox group gives you access to that specific function.

Simple?

1 Like
3

Thank you, simple and understandable

4

uhmmm whaaat :exploding_head:
Adding a group only gives access to stuff that group has access to, group access has nothing todo with root privileges…

Sure you can, mine runs under the tor user account, not root using a systemd service…

  • systemctl cat tor| xclip
# /usr/lib/systemd/system/tor.service
# tor.service -- this systemd configuration file for Tor sets up a
# relatively conservative, hardened Tor service.  You may need to
# edit it if you are making changes to your Tor configuration that it
# does not allow.  Package maintainers: this should be a starting point
# for your tor.service; it is not the last point.

[Unit]
Description=Anonymizing overlay network for TCP
After=syslog.target network.target nss-lookup.target

[Service]
Type=notify
NotifyAccess=all
ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
ExecStart=/usr/bin/tor -f /etc/tor/torrc
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutSec=60
Restart=on-failure
WatchdogSec=1m
LimitNOFILE=32768

# Hardening
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/tor.service.d/ControlSocket.conf
[Service]
RuntimeDirectory=tor
#RuntimeDirectoryPreserve=restart

### Use only one of the below configs:
# 1
# Required because the service is run as root, but tor as a user who needs tobe able to create the unix-socket.
#RuntimeDirectoryMode=0777

# 2
# This requires you to use a blank `User` line in your torrc.d config.
User=tor
Group=tor

### Note for nyx usage
# If your sudoers config has: `%wheel ALL=(ALL:ALL) ALL`
# You can use `sudo -g tor nyx` on Manjaro.
# Else you need `sudo -u tor nyx`

The difference/advantage of tor having it’s own group is that access to files owned by it can be easier accessed by other accounts without the need to become root, by having those files set group access permissions.
See the example at bottom in the config i posted above:

  • sudo -g tor nyx
    This command runs the nyx command with group tor, which allows it to access the control socket created by tor who gives access to anyone with the tor group…

Although we use sudo the above command does not run the nyx command as root :wink:
This setup means we run both tor and nyx as non-root users, which is a bit saver :wink:

1 Like
5

Erm… ok. I was not very specific, but very general. Sorry.

  • As root you have have access to the tor directory, which has the owner/group tor. → root privilege

  • When you add yourself to the tor group, then you have access to the tor folder, so don’t have to be root. → specific task.

But yes, that’s what happens when you take technical things way too general: you get misunderstood plus I’m not a native English speaker.

6

Hehe English is not my native language either, but yes especially with technical stuff you should be very careful to generalize as it could mean totally different things.
My favorite is “1+1=2” and “1+1=3” which are both correct, just using different number bases (11 in binary is 3 in decmal):wink:

7

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.