Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

[Tor Bug Tracker & Wiki]

#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-+-
 Reporter:  irregulator  |  Owner:  asn
 Type:  defect   | Status:  new
 Priority:  Low  |  Milestone:  Tor:
 |  unspecified
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7.4-rc
 Severity:  Normal   | Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:   | Points:  15
 Reviewer:   |Sponsor:
-+-

Comment (by dcf):

 I found an [https://www.sindastra.de/p/788/obfuscate-your-tor-bridge-with-
 obfs4/ obfs4 setup guide by Sindastra] that invents another way to work
 around the problem, using `chattr +i` to prevent `apt` from upgrading the
 systemd files. Some official guidance would help in preventing people from
 inventing suboptimal workarounds like this, I think.

 > Now edit the files `/lib/systemd/system/tor@default.service` and
 `/lib/systemd/system/tor@.service` and in both files change
 `NoNewPrivileges=yes` to `NoNewPrivileges=no` and then execute `systemctl
 daemon-reload` to apply the changes.
 >
 > It can happen, that during an update, the Tor service files will be
 overwritten and the modifications thus removed. This will result in the
 proxy not functioning on the desired port anymore (if below 1024). This
 can be fixed by marking the service files as immutable after modification,
 like this:
 > {{{
 > sudo chattr +i /lib/systemd/system/tor@default.service
 > sudo chattr +i /lib/systemd/system/tor@.service
 > }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

[Tor Bug Tracker & Wiki]

#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-+-
 Reporter:  irregulator  |  Owner:  asn
 Type:  defect   | Status:  new
 Priority:  Low  |  Milestone:  Tor:
 |  unspecified
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7.4-rc
 Severity:  Normal   | Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:   | Points:  15
 Reviewer:   |Sponsor:
-+-

Comment (by phw):

 I recently had a chat with weasel about the same topic.  He would be happy
 to mention the above in README.Debian if we can provide a patch.  Weasel
 also finds setcap scary and considers a NAT/firewall rule from a low to a
 high port more reasonable. The problem is that `ServerTransportListenAddr`
 has no equivalent for `ORPort`'s `NoListen` directive, and is generally
 [https://trac.torproject.org/projects/tor/ticket/29285#comment:5 due for
 an overhaul].

 [https://community.torproject.org/relay/setup/bridge/ Our bridge setup
 guides] still advise to overwrite the original systemd config file, which
 is bad because it gets overwritten when the obfs4proxy package is updated.
 In fact, I think we are having the same problem with the obfs4proxy
 binary, which may lose its `CAP_NET_BIND_SERVICE` capability once the
 package is updated and the file overwritten. We should fix this.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

[Tor Bug Tracker & Wiki]

#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-+-
 Reporter:  irregulator  |  Owner:  asn
 Type:  defect   | Status:  new
 Priority:  Low  |  Milestone:  Tor:
 |  unspecified
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7.4-rc
 Severity:  Normal   | Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:   | Points:  15
 Reviewer:   |Sponsor:
-+-

Comment (by dcf):

 At https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865495#32, weasel
 provided a hint about using an override or
 [https://www.freedesktop.org/software/systemd/man/systemd.unit.html "drop-
 in" file] to do the `NoNewPrivileges=no` configuration change. This is
 better than editing `/lib/systemd/system/tor@default.service` and
 `/lib/systemd/system/tor@.service` because it will persist across upgrades
 of the tor package.

 Run the command
 {{{
 systemctl edit tor@.service tor@default.service
 }}}
 In the editor, enter the following text, then save and quit.
 {{{
 [Service]
 NoNewPrivileges=no
 }}}
 In the second editor that appears, enter the same text, then save and
 quit.
 {{{
 [Service]
 NoNewPrivileges=no
 }}}
 If everything worked correctly, you will now have two files
 `/etc/systemd/system/tor@.service.d/override.conf` and
 `/etc/systemd/system/tor@default.service.d/override.conf` containing the
 text you entered. Now run
 {{{
 service tor restart
 }}}
 There is no need to run `systemctl daemon-reload` because `systemctl edit`
 does it automatically.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

[Tor Bug Tracker & Wiki]

#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-+-
 Reporter:  irregulator  |  Owner:  asn
 Type:  defect   | Status:  new
 Priority:  Low  |  Milestone:  Tor:
 |  unspecified
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7.4-rc
 Severity:  Normal   | Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:   | Points:  15
 Reviewer:   |Sponsor:
-+-

Comment (by phw):

 Replying to [comment:8 quite]:
 > But since this issue (and #7875) still lingers years later, I'm thinking
 that what we're after is a solution that allows setting up a bridge by
 simply installing the tor package, the obfs4proxy binary (by some means),
 and editing torrc? And not a documented, post-package-installation
 workaround/tweak.
 [[br]]
 We are working on this over at #31153.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

[Tor Bug Tracker & Wiki]

#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-+-
 Reporter:  irregulator  |  Owner:  asn
 Type:  defect   | Status:  new
 Priority:  Low  |  Milestone:  Tor:
 |  unspecified
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7.4-rc
 Severity:  Normal   | Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:   | Points:  15
 Reviewer:   |Sponsor:
-+-

Comment (by quite):

 The workarounds are documented in the "canonical":

 
https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy

 And as well at:

   https://community.torproject.org/relay/setup/bridge/debian-ubuntu/

 But since this issue (and #7875) still lingers years later, I'm thinking
 that what we're after is a solution that allows setting up a bridge by
 simply installing the tor package, the obfs4proxy binary (by some means),
 and editing torrc? And not a documented, post-package-installation
 workaround/tweak.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

[Tor Bug Tracker & Wiki]

#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-+-
 Reporter:  irregulator  |  Owner:  asn
 Type:  defect   | Status:  new
 Priority:  Low  |  Milestone:  Tor:
 |  unspecified
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7.4-rc
 Severity:  Normal   | Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:   | Points:  15
 Reviewer:   |Sponsor:
-+-
Changes (by arma):

 * cc: phw (added)


Comment:

 cc'ing phw because we might want to work on this ticket as part of the
 obfs4 operator ux work (at least, say, documenting the workaround).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

[Tor Bug Tracker & Wiki]

#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-+-
 Reporter:  irregulator  |  Owner:  asn
 Type:  defect   | Status:  new
 Priority:  Low  |  Milestone:  Tor:
 |  unspecified
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7.4-rc
 Severity:  Normal   | Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:   | Points:  15
 Reviewer:   |Sponsor:
-+-
Changes (by dcf):

 * version:  Tor: 0.2.7.6 => Tor: 0.2.7.4-rc


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

[Tor Bug Tracker & Wiki]

#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-+-
 Reporter:  irregulator  |  Owner:  asn
 Type:  defect   | Status:  new
 Priority:  Low  |  Milestone:  Tor:
 |  unspecified
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7.6
 Severity:  Normal   | Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:   | Points:  15
 Reviewer:   |Sponsor:
-+-

Comment (by dcf):

 Cross-referencing #7875, which is more about transport plugins not being
 able to listen on a port different than they advertise (like if you had
 port forwarding set up to forward port 443 to some high-numbered port).

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

[Tor Bug Tracker & Wiki]

#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-+-
 Reporter:  irregulator  |  Owner:  asn
 Type:  defect   | Status:  new
 Priority:  Low  |  Milestone:  Tor:
 |  unspecified
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7.6
 Severity:  Normal   | Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:   | Points:  15
 Reviewer:   |Sponsor:
-+-

Comment (by tom):

 I also got bit by this, and found this ticket primarily by luck. It would
 be good to document a recommended workaround somewhere.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

[Tor Bug Tracker & Wiki]

#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-+-
 Reporter:  irregulator  |  Owner:  asn
 Type:  defect   | Status:  new
 Priority:  Low  |  Milestone:  Tor:
 |  unspecified
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7.6
 Severity:  Normal   | Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:   | Points:  15
 Reviewer:   |Sponsor:
-+-
Changes (by dcf):

 * cc: dcf (added)


Comment:

 I didn't know about this ticket when I filed a Debian bug yesterday:
   [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865495 tor >=
 0.2.7.4-rc-1 renders CAP_NET_BIND_SERVICE on server transport plugins
 ineffective]

 I tried various versions of the Debian package and found that the first
 version that doesn't allow server transport plugins to bind to low ports
 is 0.2.7.4-rc-1.

 The workaround of setting `NoNewPrivileges=no` in
 `/lib/systemd/system/tor@default.service` and
 `/lib/systemd/system/tor@.service` also worked in my case. This is on
 Debian 9 (stretch) with tor 0.2.9.11-1~deb9u1. After modifying the
 .service files, I had to run:
 {{{
 systemctl daemon-reload
 service tor restart
 }}}

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

[Tor Bug Tracker & Wiki]

#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-+-
 Reporter:  irregulator  |  Owner:  asn
 Type:  defect   | Status:  new
 Priority:  Low  |  Milestone:  Tor:
 |  unspecified
Component:  Core Tor/Tor |Version:  Tor:
 |  0.2.7.6
 Severity:  Normal   | Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:   | Points:  15
 Reviewer:   |Sponsor:
-+-
Changes (by nickm):

 * points:   => 15


--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs