s7r wrote:
Hello,I think it has something to do with our hardening configuration. On Debian Bullseye, I start my bridge with log info and I get:[info] process_exec(): Starting new process: /usr/local/bin/obfs4proxy[info] launch_managed_proxy(): Managed proxy at '/usr/local/bin/obfs4proxy' has spawned with PID '1856'.When I start the bridge (using systemd/systemctl), there are no Tor processes or obfs4proxy processes running on the machine.After it logs that info that it has spawned with another PID, I can find that PID in my system as DEFUNCT.# ps aux | grep tordebian-+ 1855 91.9 5.7 243532 230668 ? Rs 17:28 0:15 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 debian-+ 1856 5.2 0.0 0 0 ? Z 17:28 0:00 [tor] <defunct>Wonder what is causing this. I am using the default install from deb.tp.o just with NoNewPrivileges=no to tor@default.service and tor@.service.I also find it buggy that this is at info level.
Fixed it. this was due to apparmor incorrect settings. The obfs4proxy process was being killed by apparmor:audit[2994]: AVC apparmor="DENIED" operation="exec" profile="system_tor" name="/usr/local/bin/obfs4proxy" pid=2994 comm="tor" requested_mask="x" denied_mask="x" fsuid=107 ouid=0
kernel: audit: type=1400 audit(1630685584.124:19): apparmor="DENIED" operation="exec" profile="system_tor" name="/usr/local/bin/obfs4proxy" pid=2994 comm="tor" requested_mask="x" denied_mask="x" >
And this is because my obfs4proxy executable was installed in a different path than /usr/bin/obfs4proxy which is in the "deafult" shipped apparmor settings for Tor.
All I had to do was to edit /etc/apparmor.d/abstractions/tor and change from: /usr/bin/obfs4proxy Pix, to /usr/local/bin/obfs4proxy Pix, and $ sudo service apparmor reloadAnd it worked. This extra step is in addition to setcap +ep obfs4proxy and NoNewPrivileges=no in /lib/systemd/system/tor@default.service and /lib/systemd/system/tor@.service and it's only necessary if you install obfs4proxy (or other pluggable transport) in a different location that /usr/bin/$transport, otherwise it works normally.
Thanks for reading and sorry about the noise. Logged https://gitlab.torproject.org/tpo/core/tor/-/issues/40459 to improve the wiki and maybe escalade the log level for those two messages.
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ tor-relays mailing list tor-relays@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays