Package: tor
Version: 0.2.9.10-1
Severity: normal
I'm trying to have a server transport plugin listen on a port <1024. In
the past, it has worked to set CAP_NET_BIND_SERVICE on the pluggable
transport binary (e.g. /usr/bin/obfs4proxy). But that no longer works
with the Debian tor packages; the transport binary gets a "permission
denied" error trying to bind to the port. Bisection suggests that it
stopped working in tor_0.2.7.4-rc-1.
Here are instructions to reproduce. Building a fresh VM isn't necessary;
I only did that to show it doesn't depend on weird configurations in
other packages.
Build a base VM and boot it. When I did this, it installed tor_0.2.9.10-1.
$ sudo /usr/sbin/vmdebootstrap --verbose --image=test.img --size=1G
--distribution=stretch --grub --package=tor --package=obfs4proxy
--package=libcap2-bin
$ qemu-img convert -f raw -O qcow2 test.img test.qcow2
$ kvm -cpu host -hda test.qcow2 -m 2G
Set the capability on /usr/bin/obfs4proxy:
# setcap 'cap_net_bind_service=+eip' /usr/bin/obfs4proxy
Add these lines to /etc/tor/torrc:
ORPort 9001
BridgeRelay 1
PublishServerDescriptor 0
AssumeReachable
ExtORPort auto
ServerTransportPlugin obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs4 0.0.0.0:443
Restart tor with `service tor restart` and check /var/log/tor/log. You
will see this warning:
[warn] Server managed proxy encountered a method error. (obfs4 listen
tcp 0.0.0.0:443: bind: permission denied)
The message that would appear instead if the setcap were working is:
[notice] Registered server transport 'obfs4' at '[::]:443'
I tried bisecting with manually installed packages from
snapshot.debian.org. First I needed to install an older libssl1.0.0 to
support the older versions of tor:
# wget
http://snapshot.debian.org/archive/debian-security/20170127T195950Z/pool/updates/main/o/openssl/libssl1.0.0_1.0.1t-1%2Bdeb8u6_amd64.deb
# dpkg -i libssl1.0.0_1.0.1t-1+deb8u6_amd64.deb
Then, for each tor deb, I did:
# dpkg -i tor_${VER}_amd64.deb # say 'N' if it prompts to overwrite
torrc
# tail -n 50 /var/log/tor/log # check whether obfs4 worked
These are the versions I tried:
http://snapshot.debian.org/archive/debian-security/20170610T045408Z/pool/updates/main/t/tor/tor_0.2.5.14-1_amd64.deb
http://snapshot.debian.org/archive/debian/20150713T215209Z/pool/main/t/tor/tor_0.2.6.10-1_amd64.deb
http://snapshot.debian.org/archive/debian/20150731T034629Z/pool/main/t/tor/tor_0.2.7.2-alpha-1_amd64.deb
http://snapshot.debian.org/archive/debian/20150925T213031Z/pool/main/t/tor/tor_0.2.7.3-rc-1_amd64.deb
http://snapshot.debian.org/archive/debian/20151023T214618Z/pool/main/t/tor/tor_0.2.7.4-rc-1_amd64.deb
http://snapshot.debian.org/archive/debian/20151121T033923Z/pool/main/t/tor/tor_0.2.7.5-1_amd64.deb
http://snapshot.debian.org/archive/debian/20151211T214445Z/pool/main/t/tor/tor_0.2.7.6-1_amd64.deb
http://snapshot.debian.org/archive/debian/20170305T153308Z/pool/main/t/tor/tor_0.2.9.10-1_amd64.deb
Here is a summary of the bisection results:
0.2.5.14-1 Registered server transport 'obfs4' at '[::]:443'
0.2.6.10-1 Registered server transport 'obfs4' at '[::]:443'
0.2.7.2-alpha-1 Registered server transport 'obfs4' at '[::]:443'
0.2.7.3-rc-1 Registered server transport 'obfs4' at '[::]:443'
0.2.7.4-rc-1 obfs4 listen tcp 0.0.0.0:443: bind: permission denied
0.2.7.5-1 obfs4 listen tcp 0.0.0.0:443: bind: permission denied
0.2.7.6-1 obfs4 listen tcp 0.0.0.0:443: bind: permission denied
0.2.9.10-1 obfs4 listen tcp 0.0.0.0:443: bind: permission denied
The changelog for 0.2.7.4-rc-1 mentions apparmor, so I would guess that
is the source of the problem:
tor (0.2.7.4-rc-1) experimental; urgency=medium
* New upstream version.
* Include identity tag for syslog logging feature from master. This
is
bug#17194 upstream.
* Support multiple instances (closes: #791393).
* Split systemd service timeout into start and stop timeout, and raise
them to 120 and 60 seconds from 45 (closes: tor#16398).
* Enable apparmor support for the default tor service (re: #761404).
Apparmor is not yet being enabled for any other tor instance.
A fix I tried that _doesn't_ work is to set `KeepBindCapabilities 1`
in torrc. That only causes this message to appear in the log:
[warn] KeepBindCapabilities set, but no capability support on this
system.
I'm not asking for a change in the Debian packaging, necessarily. I'd be
happy with an apparmor/systemd setting or an alternate way of running
transport plugins on low ports. I used obfs4proxy as an example above,
but the reason I need port 443 specifically is for Let's Encrypt
integration in snowflake-server, which is an HTTPS server.
-- System Information:
Debian Release: 9.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=, LC_CTYPE= (charmap=ANSI_X3.4-1968), LANGUAGE=
(charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages tor depends on:
ii adduser 3.115
ii init-system-helpers 1.48
ii libc6 2.24-11
ii libevent-2.0-5 2.0.21-stable-3
ii libseccomp2 2.3.1-2.1
ii libssl1.1 1.1.0f-3
ii libsystemd0 232-25
ii lsb-base 9.20161125
ii zlib1g 1:1.2.8.dfsg-5
Versions of packages tor recommends:
ii logrotate 3.11.0-0.1
pn tor-geoipdb <none>
pn torsocks <none>
Versions of packages tor suggests:
pn apparmor-utils <none>
pn mixmaster <none>
ii obfs4proxy 0.0.7-1+b2
pn obfsproxy <none>
pn socat <none>
pn tor-arm <none>
pn torbrowser-launcher <none>
-- Configuration Files:
/etc/tor/torrc changed [not included]
-- no debconf information
