[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-relays] Standalone obfsproxy apparmor profile etc.

To: tor-relays@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-relays] Standalone obfsproxy apparmor profile etc.
From: thegreatwent@xxxxxxxxxxxxx
Date: Tue, 11 Nov 2014 18:01:16 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 11 Nov 2014 18:01:45 -0500
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=N1-0105; d=Safe-mail.net; b=FQvO6I930R0XOWaFScusTOsZ4JgAO4Jz7Cfi+jkXKOlxtRWAwDiC6IMG4CfjENcu WH85Vt7QQUv71ldHC1vIuyfdn+ZsAwbxcNpOS//bQLfCFbd/841NBpYN69tYfh4l SNtUikd+Uw4RtpvUTnuRQlmWvZI3EK+JJeCzvGIi928=;
List-archive: <http://lists.torproject.org/pipermail/tor-relays/>
List-help: <mailto:tor-relays-request@lists.torproject.org?subject=help>
List-id: "support and questions about running Tor relays \(exit, non-exit, bridge\)" <tor-relays.lists.torproject.org>
List-post: <mailto:tor-relays@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-relays>, <mailto:tor-relays-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-relays@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-relays" <tor-relays-bounces@xxxxxxxxxxxxxxxxxxxx>

Not sure if this is the right place to post or if this will help anybody, but I think I figured out how to run a standalone (NOT managed) obfs3 obfsproxy on Ubuntu 14.04 with a somewhat confined apparmor profile running under the debian-tor user.

I verified this by looking at ps and it shows "debian-tor [...] /usr/bin/python /usr/bin/obfsproxy obfs3[...]". AA-STATUS says /usr/bin/obfsproxy is in enforce mode, and removing "network inet stream," for example from the aa profile results in obfsproxy failing to start.

The line in the profile for "/usr/** r," is ugly, but replacing it with "/usr/bin/** r," didn't work. Obfsproxy log messages also seem to be going to /dev/null, so I'm missing something there.

So Linux/Apparmor experts, is there anything bad/wrong with this setup? Am I relatively safe from bad guys hacking into my obfsproxy ports? How can I see if the good guys are using it successfully?

The aa profile does not work for managed instances of obfsproxy. It complained about wanting read access to nsswitch.conf and /etc/passwd and I don't know enough python to understand why it wants that, so I didn't add it.

Below is also attached:

/etc/tor/torrc [just the relevant lines, using iptables to redirect from advertised obfs3port to actual] 

-------------------
ServerTransportPlugin obfs3 proxy a.b.c.d:[advertisedobfs3port]
ExtORPort auto
-------------------


/etc/apparmor.d/usr.bin.obfsproxy

-------------------
# vim:syntax=apparmor
#include <tunables/global>

/usr/bin/obfsproxy {
  #include <abstractions/base>
  #include <abstractions/python>
  network inet stream,

  /var/log/tor/log rw,
  /dev/urandom r,
  /dev/random r,
  /usr/** r,
  /usr/bin/obfsproxy rix,

}
-------------------


/etc/init.d/obfsproxy

-------------------
#!/bin/bash

PIDFILE="/var/run/obfsproxy/obfsproxy.pid"
DEST="127.0.0.1:[ORPort]"
SERVER="a.b.c.d:[obfs3port]"
DAEMON="/usr/bin/obfsproxy -- --profile=/usr/bin/obfsproxy -- /usr/bin/obfsproxy obfs3 --dest $DEST server $SERVER"

### BEGIN INIT INFO
# Provides: Obfsproxy
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Obfsproxy
### END INIT INFO

case "$1" in
start)
echo "Starting Obfsproxy"

/sbin/start-stop-daemon --make-pidfile --background --oknodo --start --pidfile $PIDFILE \
  --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON
;;
stop)
echo "Stopping Obfsproxy"

/sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose
;;
restart|reload)
/sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose
sleep 1
/sbin/start-stop-daemon --make-pidfile --background --oknodo --start --pidfile $PIDFILE \
  --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON
;;
*)
echo "Usage: /etc/init.d/obfsproxy {start|stop|restart|reload}"
exit 1
;;
esac

exit 0
-------------------

/etc/tor/torrc [just the relevant lines, using iptables to redirect from advertised obfs3port to actual] 

-------------------
ServerTransportPlugin obfs3 proxy a.b.c.d:[advertisedobfs3port]
ExtORPort auto
-------------------


/etc/apparmor.d/usr.bin.obfsproxy

-------------------
# vim:syntax=apparmor
#include <tunables/global>

/usr/bin/obfsproxy {
  #include <abstractions/base>
  #include <abstractions/python>
  network inet stream,

  /var/log/tor/log rw,
  /dev/urandom r,
  /dev/random r,
  /usr/** r,
  /usr/bin/obfsproxy rix,

}
-------------------


/etc/init.d/obfsproxy

-------------------
#!/bin/bash

PIDFILE="/var/run/obfsproxy/obfsproxy.pid"
DEST="127.0.0.1:[ORPort]"
SERVER="a.b.c.d:[obfs3port]"
DAEMON="/usr/bin/obfsproxy -- --profile=/usr/bin/obfsproxy -- /usr/bin/obfsproxy obfs3 --dest $DEST server $SERVER"

### BEGIN INIT INFO
# Provides: Obfsproxy
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Obfsproxy
### END INIT INFO

case "$1" in
start)
echo "Starting Obfsproxy"

/sbin/start-stop-daemon --make-pidfile --background --oknodo --start --pidfile $PIDFILE \
  --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON
;;
stop)
echo "Stopping Obfsproxy"

/sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose
;;
restart|reload)
/sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose
sleep 1
/sbin/start-stop-daemon --make-pidfile --background --oknodo --start --pidfile $PIDFILE \
  --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON
;;
*)
echo "Usage: /etc/init.d/obfsproxy {start|stop|restart|reload}"
exit 1
;;
esac

exit 0
-------------------

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Prev by Author: Re: [tor-relays] Platform diversity in Tor network [was: OpenBSD doc/TUNING]
Next by Author: Re: [tor-relays] Standalone obfsproxy apparmor profile etc.
Previous by thread: Re: [tor-relays] Node Operators Web Of Trust (Spencer Rhodes)
Next by thread: Re: [tor-relays] Standalone obfsproxy apparmor profile etc.
Index(es):
- Author
- Thread