[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-relays] Did obfs4proxy stopped working for you on Debian Buster or Bullseye?



s7r wrote:
Hello,

I think it has something to do with our hardening configuration. On Debian Bullseye, I start my bridge with log info and I get:

[info] process_exec(): Starting new process: /usr/local/bin/obfs4proxy
[info] launch_managed_proxy(): Managed proxy at '/usr/local/bin/obfs4proxy' has spawned with PID '1856'.

When I start the bridge (using systemd/systemctl), there are no Tor processes or obfs4proxy processes running on the machine.

After it logs that info that it has spawned with another PID, I can find that PID in my system as DEFUNCT.

# ps aux | grep tor
debian-+    1855 91.9  5.7 243532 230668 ?       Rs   17:28   0:15 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 debian-+    1856  5.2  0.0      0     0 ?        Z    17:28   0:00 [tor] <defunct>


Wonder what is causing this. I am using the default install from deb.tp.o just with NoNewPrivileges=no to tor@default.service and tor@.service.

I also find it buggy that this is at info level.


Fixed it. this was due to apparmor incorrect settings.

The obfs4proxy process was being killed by apparmor:

audit[2994]: AVC apparmor="DENIED" operation="exec" profile="system_tor" name="/usr/local/bin/obfs4proxy" pid=2994 comm="tor" requested_mask="x" denied_mask="x" fsuid=107 ouid=0


kernel: audit: type=1400 audit(1630685584.124:19): apparmor="DENIED" operation="exec" profile="system_tor" name="/usr/local/bin/obfs4proxy" pid=2994 comm="tor" requested_mask="x" denied_mask="x" >

And this is because my obfs4proxy executable was installed in a different path than /usr/bin/obfs4proxy which is in the "deafult" shipped apparmor settings for Tor.

All I had to do was to edit /etc/apparmor.d/abstractions/tor

and change from:

/usr/bin/obfs4proxy Pix,

to

/usr/local/bin/obfs4proxy Pix,

and

$ sudo service apparmor reload

And it worked. This extra step is in addition to setcap +ep obfs4proxy and NoNewPrivileges=no in /lib/systemd/system/tor@default.service and /lib/systemd/system/tor@.service and it's only necessary if you install obfs4proxy (or other pluggable transport) in a different location that /usr/bin/$transport, otherwise it works normally.

Thanks for reading and sorry about the noise. Logged https://gitlab.torproject.org/tpo/core/tor/-/issues/40459 to improve the wiki and maybe escalade the log level for those two messages.

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
tor-relays mailing list
tor-relays@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays