I fixed the logging issue by changing "/var/log/tor/log rw," in the profile to "/var/log/tor/obfsproxy rw,"; and changing the value in my service script to: DAEMON="/usr/bin/obfsproxy -- --profile=/usr/bin/obfsproxy -- /usr/bin/obfsproxy --log-file=/var/log/tor/obfsproxy --log-min-severity=info obfs3 --dest $DEST server $SERVER" I also changed to PIDFILE="/var/run/obfsproxy.pid" because the earlier version didn't work on reboot.
Now I can see I am getting traffic! 8 unique addresses in the past hour etc. So that mostly just leaves open the question of why managed mode obfsproxy wants to read /etc/passwd and nsswitch.conf? Is this the wrong place to ask? -------- Original Message -------- From: [email protected] Apparently from: [email protected] To: [email protected] Subject: [tor-relays] Standalone obfsproxy apparmor profile etc. Date: Tue, 11 Nov 2014 18:01:16 -0500 > Not sure if this is the right place to post or if this will help anybody, but > I think I figured out how to run a standalone (NOT managed) obfs3 obfsproxy > on Ubuntu 14.04 with a somewhat confined apparmor profile running under the > debian-tor user. > > I verified this by looking at ps and it shows "debian-tor [...] > /usr/bin/python /usr/bin/obfsproxy obfs3[...]". AA-STATUS says > /usr/bin/obfsproxy is in enforce mode, and removing "network inet stream," > for example from the aa profile results in obfsproxy failing to start. > > The line in the profile for "/usr/** r," is ugly, but replacing it with > "/usr/bin/** r," didn't work. Obfsproxy log messages also seem to be going to > /dev/null, so I'm missing something there. > > So Linux/Apparmor experts, is there anything bad/wrong with this setup? Am I > relatively safe from bad guys hacking into my obfsproxy ports? How can I see > if the good guys are using it successfully? > > The aa profile does not work for managed instances of obfsproxy. It > complained about wanting read access to nsswitch.conf and /etc/passwd and I > don't know enough python to understand why it wants that, so I didn't add it. > > Below is also attached: > > /etc/tor/torrc [just the relevant lines, using iptables to redirect from > advertised obfs3port to actual] > > ------------------- > ServerTransportPlugin obfs3 proxy a.b.c.d:[advertisedobfs3port] > ExtORPort auto > ------------------- > > > /etc/apparmor.d/usr.bin.obfsproxy > > ------------------- > # vim:syntax=apparmor > #include <tunables/global> > > /usr/bin/obfsproxy { > #include <abstractions/base> > #include <abstractions/python> > network inet stream, > > /var/log/tor/log rw, > /dev/urandom r, > /dev/random r, > /usr/** r, > /usr/bin/obfsproxy rix, > > } > ------------------- > > > /etc/init.d/obfsproxy > > ------------------- > #!/bin/bash > > PIDFILE="/var/run/obfsproxy/obfsproxy.pid" > DEST="127.0.0.1:[ORPort]" > SERVER="a.b.c.d:[obfs3port]" > DAEMON="/usr/bin/obfsproxy -- --profile=/usr/bin/obfsproxy -- > /usr/bin/obfsproxy obfs3 --dest $DEST server $SERVER" > > ### BEGIN INIT INFO > # Provides: Obfsproxy > # Required-Start: > # Required-Stop: > # Default-Start: 2 3 4 5 > # Default-Stop: 0 1 6 > # Short-Description: Obfsproxy > ### END INIT INFO > > case "$1" in > start) > echo "Starting Obfsproxy" > > /sbin/start-stop-daemon --make-pidfile --background --oknodo --start > --pidfile $PIDFILE \ > --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON > ;; > stop) > echo "Stopping Obfsproxy" > > /sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose > ;; > restart|reload) > /sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose > sleep 1 > /sbin/start-stop-daemon --make-pidfile --background --oknodo --start > --pidfile $PIDFILE \ > --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON > ;; > *) > echo "Usage: /etc/init.d/obfsproxy {start|stop|restart|reload}" > exit 1 > ;; > esac > > exit 0 > ------------------- _______________________________________________ tor-relays mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
