Your message dated Sun, 20 Aug 2017 10:19:11 +0000
with message-id <[email protected]>
and subject line Bug#867342: fixed in tor 0.3.1.5-alpha-2
has caused the Debian Bug report #867342,
regarding tor: /usr/bin/obfs4proxy fails to load under default combination of
apparmor execution permission PUx and systemd NoNewPrivileges=Yes hardening
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
867342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=867342
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: tor
Version: 0.2.9.11-1~deb9u1
Severity: important
Dear Maintainer,
I was debugging why obfs4proxy was failing to load in Debian 9 (Whonix 14
developers),
without any helpful error messages in the log. I notice that if I changed the
AA execution
permissions in abstractions/tor for obfsproxy to ix instead of PUx, it loads. I
also
noticed that if I commented out or changed the systemd hardening flag
NoNewPrivileges
inside systemd/system/[email protected], obfs4proxy also successfully loads.
I have no idea why or where to find any error message from systemd or apparmor
about
the failure to load /usr/bin/obfs4proxy.
I also don't know how the hardening NoNewPrivileges and the apparmor execution
permission PUx interact to cause the failure to load obfs4proxy.
But changing PUx to ix AND/OR changing NoNewPrivileges to blank or YES, allows
obfs4proxy to load and tor to connect to an obfs4 bridge.
For now, I created a workaround for Whonix users that simply disables
NoNewPrivileges.
-- System Information:
Distributor ID: Whonix
Description: Whonix GNU/Linux 9.0 (stretch)
Release: 9.0
Codename: stretch
Architecture: x86_64
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages tor depends on:
ii adduser 3.115
ii init-system-helpers 1.48
ii libc6 2.24-11+deb9u1
ii libevent-2.0-5 2.0.21-stable-3
ii libseccomp2 2.3.1-2.1
ii libssl1.1 1.1.0f-3
ii libsystemd0 232-25
ii lsb-base 9.20161125
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages tor recommends:
ii logrotate 3.11.0-0.1
ii tor-geoipdb 0.2.9.11-1~deb9u1
ii torsocks 2.2.0-1
Versions of packages tor suggests:
ii apparmor-utils 2.11.0-3
pn mixmaster <none>
ii obfs4proxy 0.0.7-1+b2
ii obfsproxy 0.2.13-2
pn socat <none>
ii tor-arm 1.4.5.0-1.1
pn torbrowser-launcher <none>
-- Configuration Files:
/etc/apparmor.d/abstractions/tor changed [not included]
/etc/apparmor.d/system_tor changed [not included]
/etc/default/tor changed [not included]
/etc/tor/torrc changed [not included]
-- no debconf information
-- debsums errors found:
debsums: changed file /lib/systemd/system/[email protected] (from tor package)
--- End Message ---
--- Begin Message ---
Source: tor
Source-Version: 0.3.1.5-alpha-2
We believe that the bug you reported is fixed in the latest version of
tor, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Palfrader <[email protected]> (supplier of updated tor package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 19 Aug 2017 10:21:30 +0200
Source: tor
Binary: tor tor-geoipdb
Architecture: source
Version: 0.3.1.5-alpha-2
Distribution: experimental
Urgency: medium
Maintainer: Peter Palfrader <[email protected]>
Changed-By: Peter Palfrader <[email protected]>
Description:
tor - anonymizing overlay network for TCP
tor-geoipdb - GeoIP database for Tor
Closes: 867342 869153
Changes:
tor (0.3.1.5-alpha-2) experimental; urgency=medium
.
* apparmor: use Pix instead of PUx for obfs4proxy, giving us
better confinement of the child process while actually working
with systemd's NoNewPrivileges. (closes: #867342)
* Do not rely on aa-exec and aa-enabled being in /usr/sbin in the
SysV init script. This change enables apparmor confinement
on some system-V systems again. (closes: #869153)
Checksums-Sha1:
92fe095eac351786b7a2d7f5ea25a8b1ab8f6f6b 1843 tor_0.3.1.5-alpha-2.dsc
e662ab1ce5fae6f82cf16d379d64350dead5a6e5 5997514 tor_0.3.1.5-alpha.orig.tar.gz
fada63cb06691fdd60961c84959f4e468886ce63 47546 tor_0.3.1.5-alpha-2.diff.gz
Checksums-Sha256:
4f0f98b69587d6fcb31cb8d1215dfe95d21f93c0ba8a3ea2dacdb2bca0ede19d 1843
tor_0.3.1.5-alpha-2.dsc
04281b87e8b97517ba52232cd58de06a816f5a136b9b7a7316be878b36df8313 5997514
tor_0.3.1.5-alpha.orig.tar.gz
47882eb8c84c0299cc1887cb7c887c939e025a15526d4bafe62dbd3120da889a 47546
tor_0.3.1.5-alpha-2.diff.gz
Files:
91f4210653f65481166b0d56f1db9ccd 1843 net optional tor_0.3.1.5-alpha-2.dsc
138b80f8b365225f8aa080388ef565a7 5997514 net optional
tor_0.3.1.5-alpha.orig.tar.gz
c6400384cb05cf8977610bcf309d87dd 47546 net optional tor_0.3.1.5-alpha-2.diff.gz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEs4PXhajJL968BgN2hgLIIDhyMx8FAlmZXKoACgkQhgLIIDhy
Mx84+AgAvnZKAgIdzk4rZNR1Yf6gqEr3Thz5F8s4LSI3NdI+sQPvKt+/CH0gBSL3
IRm2he3433Xi64QgDg16iylLZyOyF6OrKECzK13SWnGuc3b2OjvbOebz28GpCXND
YWTolkQy1rJLHHQWlRCkX/nW9oI95/3g6HBwv3xmhy/Oo20dQtCmkZsR8tyEWXJP
GnTqpXjxJC6wZJNTKpvFZaOoRsud/bLmksJ1VFWPyr4H6m3uzlz4DLWK7GumWSJ5
jZj+SizZ7/9ikKBz0XjTyUA6fyimTWsB6JzFEvoTlVCu0Qwm/+4LICHAQsRhfVBw
kMwf/fAdSRct5Xtcnjgf0hq+1F9nZg==
=2Fo5
-----END PGP SIGNATURE-----
--- End Message ---