From 3bbda97bb923c99e97993a0064acb97bf627e89c Mon Sep 17 00:00:00 2001
From: NW <nw@softuniq.eu>
Date: Wed, 24 Jun 2026 12:15:16 +0100
Subject: [PATCH] fix: proper Tor user and directory permissions

- Add User tor to torrc for privilege dropping
- chown /var/lib/tor to tor:nogroup before Tor starts
- chmod 755 on hostname directories so root can read them
- Remove invalid chown tor:tor (tor group doesn't exist in Alpine)
---
 tor-proxy/entrypoint.sh | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/tor-proxy/entrypoint.sh b/tor-proxy/entrypoint.sh
index 94dabe4..b3690df 100644
--- a/tor-proxy/entrypoint.sh
+++ b/tor-proxy/entrypoint.sh
@@ -31,11 +31,9 @@ if [ "$SSH_HOST_IP" = "host.docker.internal" ]; then
 fi
 
 mkdir -p /var/lib/tor/ssh /var/lib/tor/admin
-chmod 700 /var/lib/tor/ssh /var/lib/tor/admin
-
-if id tor >/dev/null 2>&1; then
-    chown -R tor:tor /var/lib/tor
-fi
+chown -R tor:nogroup /var/lib/tor
+chmod 700 /var/lib/tor
+chmod 755 /var/lib/tor/ssh /var/lib/tor/admin
 
 cat > /etc/tor/torrc <<EOF
 # Generated by entrypoint.sh at container start
@@ -59,10 +57,6 @@ cat /etc/tor/torrc
 
 mkdir -p /onion-hosts
 
-if id tor >/dev/null 2>&1; then
-    chown -R tor:tor /onion-hosts
-fi
-
 ( \
   echo "Waiting for onion addresses..."; \
   for i in $(seq 1 120); do \