On Sun, Jan 21, 2018 at 07:05:20AM +0100, Sebastien Marie wrote: > On Sat, Jan 20, 2018 at 07:13:54PM +0000, clematis wrote: > > Hello, > > 'usewithtor' (torsocks) works fine with ftp and ssh but it will core > > with lynx. > > running: usewithtor lynx > > will start lynx, resolve openbsd.org but core when trying to make the > > http connection. > > In /var/log/messages I get: /bsd: lynx[26197]: pledge "getpw", syscall 33 > > > > And running gdb lynx then core lynx.core: > > --- > > Reading symbols from /usr/libexec/ld.so...done. > > > > > > Loaded symbols for /usr/libexec/ld.so > > > > > > #0 access () at -:3 > > > > > > 3 -: No such file or directory. > > > > > > in - > > > > > > Current language: auto; currently asm > > --- > > > > same result using 'torsocks' directly and not 'usewithtor' or trying > > lynx http://openbsd.org > > I will reply mainly on the pledge aspect. > > The way torsocks is done is to replace some syscall/libc libary calls by > other ones (by using LD_PRELOAD trick). The replaced functions are > network related (connect(2) for example) in order to catch TCP > connection and replacing it by another one wrapper on SOCKS protocol > (connect to proxy, ask for particular terminaison point, and pass it > to program stuff). > > It is some sort of MITM, but at the code program level. > > The pledge(2) policy done for lynx assumes a specific behaviour. By > replacing some code by another, torsocks did some additional stuff not > in the initial pledge policy (getting information on users with getpw > family here), and the kernel detects this pledge violation. > > > Config: OpenBSD current + lynx-2.8.9pl16 + torsocks-1.2p4 > > > > Any idea on how to torify lynx? > > the simpler would be to use lynx options to connect to SOCKS proxy. I am > unsure the current code has this possibility. But as it have HTTP proxy > support, a way could be to have an HTTP proxy listener which forward its > traffic to SOCKS upstream server. Polipo is a program of this kind (see > socksParentProxy="localhost:9050" and socksProxyType=socks5 parameters > on polipo config file).
Another idea. Create a special user only for tor use, then add the proper rules to pf to pass its traffic to the tor daemon. -- Juan Francisco Cantero Hurtado http://juanfra.info
