Hey,
in Debian we want to enable mutli-arch support for torsocks. To be able to run different binaries of different archs. We already splitted libtorsocks into own package, so you can now install e.g.: torsocks:amd64, libtorsocks:amd64, libtorsocks:i386, wget:i386
But the torsocks script loads the libtorsocks by full path, so torsocks wget will fail, as it loads the amd64 variant only. ldconfig has this nice feature to find the correct library, if you only add the name and that the library is in default search dir or you add a conf file in / etc/ld.so.conf.d/.
Using just the libname makes the "safty" check `! -e "$SHLIB"` fail, as $SHLIB, is only the libname in our case.
Can you have a look at the patch[1], if you think it is safe to ship this? [1] https://salsa.debian.org/pkg-privacy-team/torsocks/-/blob/master/debian/ patches/0004-Make-torsocks-multi-arch-foreign-compatible.patch
The issue I see is this: If arch from executable and the corresponding libtorsocks is not installed, only a Error is printed, but still the executable is executed without routing trough tor. The disabled check in torsocks could somehow catch this, if we would knew the arch of the executable in advanced correctly (which we don't, so far). If we can make sure, that LD_PRELOAD would stop executing, if the library cannot be found.
e.g. I install libtorsocks:amd64 and wget:i386 I get: $wget -O- -4 icanhazip.com XX.230.187.XX $ torsocks wget -O- -4 icanhazip.com ERROR: ld.so: object 'libtorsocks.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. [...] XX.230.187.XX [...]
(installing libtorsocks:i386 fixes this)
On the other side, this does not got worse; currently torsocks will print a different error see #902792 but still execute the binary without tor. So this safety check doesn't help here (and btw. installing libtorsocks:i386 does not fix this issue by itself you also need to call /usr/bin/i386-linux-gnu- torsocks).
#902792 https://bugs.debian.org/cgi-bin/902792
Regards,
hefee
This looks basically ok to me. More below:
On 3/10/25 8:50 AM, Hefee via tor-dev wrote:
Hey,
in Debian we want to enable mutli-arch support for torsocks. To be able to run different binaries of different archs. We already splitted libtorsocks into own package, so you can now install e.g.: torsocks:amd64, libtorsocks:amd64, libtorsocks:i386, wget:i386
But the torsocks script loads the libtorsocks by full path, so torsocks wget will fail, as it loads the amd64 variant only. ldconfig has this nice feature to find the correct library, if you only add the name and that the library is in default search dir or you add a conf file in / etc/ld.so.conf.d/.
Maybe we could be a *little* more explicit and use a full path incorporating `${LIB}`? From ld.so(8):
``` In several places, the dynamic linker expands dynamic string tokens: o In the environment variables LD_LIBRARY_PATH, LD_PRELOAD, and LD_AUDIT,
... $LIB (or equivalently ${LIB}) This expands to lib or lib64 depending on the architecture (e.g., on x86-64, it expands to lib64 and on x86-32, it expands to lib).
```
This might head off some other weird corner cases (like some other `libtorsocks` ending up earlier in the library search path) and maybe give a stronger hint about what's going wrong in the error message you note below where the right library can't be found.
Using just the libname makes the "safty" check `! -e "$SHLIB"` fail, as $SHLIB, is only the libname in our case.
Can you have a look at the patch[1], if you think it is safe to ship this? [1] https://salsa.debian.org/pkg-privacy-team/torsocks/-/blob/master/debian/ patches/0004-Make-torsocks-multi-arch-foreign-compatible.patch
The issue I see is this: If arch from executable and the corresponding libtorsocks is not installed, only a Error is printed, but still the executable is executed without routing trough tor. The disabled check in torsocks could somehow catch this, if we would knew the arch of the executable in advanced correctly (which we don't, so far). If we can make sure, that LD_PRELOAD would stop executing, if the library cannot be found.
e.g. I install libtorsocks:amd64 and wget:i386 I get: $wget -O- -4 icanhazip.com XX.230.187.XX $ torsocks wget -O- -4 icanhazip.com ERROR: ld.so: object 'libtorsocks.so' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored. [...] XX.230.187.XX [...]
(installing libtorsocks:i386 fixes this)
On the other side, this does not got worse; currently torsocks will print a different error see #902792 but still execute the binary without tor. So this safety check doesn't help here (and btw. installing libtorsocks:i386 does not fix this issue by itself you also need to call /usr/bin/i386-linux-gnu- torsocks).
This is an unfortunate failure mode, but yeah at least not worse than the current state.
I was thinking about whether the torsocks script could try harder to detect this case, e.g. by itself checking what arch binary is being run and whether the corresponding library exists, but this would add a fair bit of complexity and would still miss cases where the target binary spawns more processes, possibly of different archs (e.g. `torsocks bash -c "wget ..."`)
Regards,
hefee
tor-dev mailing list -- tor-dev@lists.torproject.org To unsubscribe send an email to tor-dev-leave@lists.torproject.org
-Jim
Hey,
This looks basically ok to me. More below:
thx for this fast reply! Sorry I'm a little bit busy the last days...
Btw. would it be possible to ship a new release the next days? So I can push this new version to Debian trixie? As the soft freeze is happening at 15. April.
But the torsocks script loads the libtorsocks by full path, so torsocks wget will fail, as it loads the amd64 variant only. ldconfig has this nice feature to find the correct library, if you only add the name and that the library is in default search dir or you add a conf file in / etc/ld.so.conf.d/.
Maybe we could be a *little* more explicit and use a full path incorporating `${LIB}`? From ld.so(8): [...]
I see your point, but unfortunately it is not only lib64 vs. lib directory, as Debian uses the different arch trippets for their lib paths. As you also want different arm archs e.g. /usr/lib/x86_64-linux-gnu/ and /usr/lib/i386-linux-gnu/
for the complete list see https://wiki.debian.org/Multiarch/Tuples
This might head off some other weird corner cases (like some other `libtorsocks` ending up earlier in the library search path) and maybe give a stronger hint about what's going wrong in the error message you note below where the right library can't be found.
I see your point you are thinking at a warning like: You enabled those archs but missing libtorsoks for following archs: X, Y, Z
I don't know if that is easy possible but I'll ask for help on Debian side.
This is an unfortunate failure mode, but yeah at least not worse than the current state.
I was thinking about whether the torsocks script could try harder to detect this case, e.g. by itself checking what arch binary is being run and whether the corresponding library exists, but this would add a fair bit of complexity and would still miss cases where the target binary spawns more processes, possibly of different archs (e.g. `torsocks bash -c "wget ..."`)
Yes it would be nice, if torsocks could detect the arch correctly, but I also thought at these complications about subprocesses.
Regards,
hefee
On 3/26/25 7:45 PM, Hefee wrote:
Hey,
This looks basically ok to me. More below:
thx for this fast reply! Sorry I'm a little bit busy the last days...
Btw. would it be possible to ship a new release the next days? So I can push this new version to Debian trixie? As the soft freeze is happening at 15. April.
Ah, I was just looking for who to talk to about this. We actually just released 2.5.0 today :)
https://gitlab.torproject.org/tpo/core/torsocks/-/releases/v2.5.0
But the torsocks script loads the libtorsocks by full path, so torsocks wget will fail, as it loads the amd64 variant only. ldconfig has this nice feature to find the correct library, if you only add the name and that the library is in default search dir or you add a conf file in / etc/ld.so.conf.d/.
Maybe we could be a *little* more explicit and use a full path incorporating `${LIB}`? From ld.so(8): [...]
I see your point, but unfortunately it is not only lib64 vs. lib directory, as Debian uses the different arch trippets for their lib paths. As you also want different arm archs e.g. /usr/lib/x86_64-linux-gnu/ and /usr/lib/i386-linux-gnu/
for the complete list see https://wiki.debian.org/Multiarch/Tuples
ld.so also supports `${PLATFORM}`, though I'm unclear whether it'd map to precisely these directory names.
This might head off some other weird corner cases (like some other `libtorsocks` ending up earlier in the library search path) and maybe give a stronger hint about what's going wrong in the error message you note below where the right library can't be found.
I see your point you are thinking at a warning like: You enabled those archs but missing libtorsoks for following archs: X, Y, Z
I don't know if that is easy possible but I'll ask for help on Debian side.
Hmm, yeah that seems like it'd be helpful, particularly if we're not able to pull off something with `${PLATFORM}` and `${LIB}.
This is an unfortunate failure mode, but yeah at least not worse than the current state.
I was thinking about whether the torsocks script could try harder to detect this case, e.g. by itself checking what arch binary is being run and whether the corresponding library exists, but this would add a fair bit of complexity and would still miss cases where the target binary spawns more processes, possibly of different archs (e.g. `torsocks bash -c "wget ..."`)
Yes it would be nice, if torsocks could detect the arch correctly, but I also thought at these complications about subprocesses.
Regards,
hefee
Thanks for reaching out!
-Jim
Hey,
Ah, I was just looking for who to talk to about this. We actually just released 2.5.0 today :)
https://gitlab.torproject.org/tpo/core/torsocks/-/releases/v2.5.0
Great. On Debian side we have scripts that scan for new releases automatically. But I do not check those pages on a daily basis ;) So in case if it not a time critical, we get the information about a new release without any need from your side to inform me :)
Regards
hefee
-
Hefee -
Jim Newsome