#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-------------------------------------------------+-------------------------
Reporter: irregulator | Owner: asn
Type: defect | Status: new
Priority: Low | Milestone: Tor:
| unspecified
Component: Core Tor/Tor | Version: Tor:
| 0.2.7.4-rc
Severity: Normal | Resolution:
Keywords: obfs4proxy, systemd, jessie, tor-pt | Actual Points:
Parent ID: | Points: 15
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by dcf):
I found an [https://www.sindastra.de/p/788/obfuscate-your-tor-bridge-with-
obfs4/ obfs4 setup guide by Sindastra] that invents another way to work
around the problem, using `chattr +i` to prevent `apt` from upgrading the
systemd files. Some official guidance would help in preventing people from
inventing suboptimal workarounds like this, I think.
> Now edit the files `/lib/systemd/system/[email protected]` and
`/lib/systemd/system/[email protected]` and in both files change
`NoNewPrivileges=yes` to `NoNewPrivileges=no` and then execute `systemctl
daemon-reload` to apply the changes.
>
> It can happen, that during an update, the Tor service files will be
overwritten and the modifications thus removed. This will result in the
proxy not functioning on the desired port anymore (if below 1024). This
can be fixed by marking the service files as immutable after modification,
like this:
> {{{
> sudo chattr +i /lib/systemd/system/[email protected]
> sudo chattr +i /lib/systemd/system/[email protected]
> }}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18356#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs
