[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Did obfs4proxy stopped working for you on Debian Buster or Bullseye?

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-relays] Did obfs4proxy stopped working for you on Debian Buster or Bullseye?
From: s7r <s7r@xxxxxxxxxx>
Date: Fri, 3 Sep 2021 20:03:28 +0300
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 06 Sep 2021 04:04:45 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org; s=20110108; t=1630688621; bh=HWhU4P0M98Xzi8jGNMo/C55ng+KBHcnGgOA/xrZ1wjE=; h=To:References:From:Subject:Date:In-Reply-To; b=b77zZW4m3HzwLnVNg9dBRmZJ1Y6y+WUq5TjFJdfXhQCUhP16AiyHl61w+qWeM9jKF UKgnZkN3P/kQzMwHYs27IdvBV63DWUankMm9mkTEuIgapxGNjROMhqUPjvrWD3P6Vp 4NeXZs2rGDNoYJbeHYjfwiAY4qTylNP6slmP5S1Y=
In-reply-to: <a57c8b10-1f7c-2063-224f-97f4ce9e7941@sky-ip.org>
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays $exit, non-exit, bridge$" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
References: <4d81f0bf-bfe3-455b-e165-ac7210a6d7d7@sky-ip.org> <a57c8b10-1f7c-2063-224f-97f4ce9e7941@sky-ip.org>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.13.0

s7r wrote:

Hello,
I think it has something to do with our hardening configuration. OnDebian Bullseye, I start my bridge with log info and I get:
[info] process_exec(): Starting new process: /usr/local/bin/obfs4proxy
[info] launch_managed_proxy(): Managed proxy at'/usr/local/bin/obfs4proxy' has spawned with PID '1856'.
When I start the bridge (using systemd/systemctl), there are no Torprocesses or obfs4proxy processes running on the machine.
After it logs that info that it has spawned with another PID, I can findthat PID in my system as DEFUNCT.
# ps aux | grep tor
debian-+ 1855 91.9 5.7 243532 230668 ? Rs 17:28 0:15/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc-f /etc/tor/torrc --RunAsDaemon 0debian-+ 1856 5.2 0.0 0 0 ? Z 17:28 0:00 [tor]<defunct>
Wonder what is causing this. I am using the default install fromdeb.tp.o just with NoNewPrivileges=no to tor@default.service andtor@.service.
I also find it buggy that this is at info level.

Fixed it. this was due to apparmor incorrect settings.

The obfs4proxy process was being killed by apparmor:

audit[2994]: AVC apparmor="DENIED" operation="exec" profile="system_tor"name="/usr/local/bin/obfs4proxy" pid=2994 comm="tor" requested_mask="x"denied_mask="x" fsuid=107 ouid=0

kernel: audit: type=1400 audit(1630685584.124:19): apparmor="DENIED"operation="exec" profile="system_tor" name="/usr/local/bin/obfs4proxy"pid=2994 comm="tor" requested_mask="x" denied_mask="x" >

And this is because my obfs4proxy executable was installed in adifferent path than /usr/bin/obfs4proxy which is in the "deafult"shipped apparmor settings for Tor.


All I had to do was to edit /etc/apparmor.d/abstractions/tor

and change from:

/usr/bin/obfs4proxy Pix,

to

/usr/local/bin/obfs4proxy Pix,

and

$ sudo service apparmor reload

And it worked. This extra step is in addition to setcap +ep obfs4proxyand NoNewPrivileges=no in /lib/systemd/system/tor@default.service and/lib/systemd/system/tor@.service and it's only necessary if you installobfs4proxy (or other pluggable transport) in a different location that/usr/bin/$transport, otherwise it works normally.

Thanks for reading and sorry about the noise. Loggedhttps://gitlab.torproject.org/tpo/core/tor/-/issues/40459 to improve thewiki and maybe escalade the log level for those two messages.

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

References:
- Re: [tor-relays] Did obfs4proxy stopped working for you on Debian Buster or Bullseye?
  - From: s7r

Prev by Author: [tor-relays] new tor network graphs on OrNetStats
Next by Author: Re: [tor-relays] Did obfs4proxy stopped working for you on Debian Buster or Bullseye?
Previous by thread: Re: [tor-relays] Did obfs4proxy stopped working for you on Debian Buster or Bullseye?
Next by thread: Re: [tor-relays] Old version in Debian/Ubuntu repo?
Index(es):
- Author
- Thread