permission denied when running snowflake-client with debian-tor user
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Dear Tor developers, I met a problem when trying to use the snowflake-client binary extracted from TBB 8.0a8 with the system Tor. Specifically, it seems snowflake-client cannot be run by debian-tor user, regardless of the permissions it is given. I am posting the full steps below. A better formatted version of it can be found here: http://forums.whonix.org/t/replacing-meek-snowflake/5190/18
Here is the original permission and ownership of snowflake-client:
user@host:~$ ls -l snowflake-client -rwx------ 1 user user 14160744 Jun 4 06:17 snowflake-client
It can be executed by user user:
user@host:~$ sudo -u user ./snowflake-client 2018/06/04 06:18:21
--- Starting Snowflake Client --- 2018/06/04 06:18:21 No HTTP signaling detected. Using manual copy-paste signaling. 2018/06/04 06:18:21 Waiting for a "signal" pipe... ^C
We now change the permission to let it executable by user debian-tor:
user@host:~$ sudo chmod 777 snowflake-client
user@host:~$ sudo -u debian-tor ./snowflake-client 2018/06/04 06:18:43
Noticed the permission denied:
--- Starting Snowflake Client --- 2018/06/04 06:18:43 No HTTP signaling detected. Using manual copy-paste signaling. 2018/06/04 06:18:43 Waiting for a "signal" pipe... 2018/06/04 06:18:43 open signal: permission denied
We now change its ownership to debian-tor:debian-tor:
user@host:~$ sudo chown debian-tor:debian-tor snowflake-client user@host:~$ ls -l snowflake-client -rwxrwxrwx 1 debian-tor debian-tor 14160744 Jun 4 06:17 snowflake-client
Still, permission denied:
user@host:~$ sudo -u debian-tor ./snowflake-client 2018/06/04 06:19:15
--- Starting Snowflake Client --- 2018/06/04 06:19:15 No HTTP signaling detected. Using manual copy-paste signaling. 2018/06/04 06:19:15 Waiting for a "signal" pipe... 2018/06/04 06:19:15 open signal: permission denied
However, when executing it by user, it works fine:
user@host:~$ sudo -u user ./snowflake-client 2018/06/04 06:19:22
--- Starting Snowflake Client --- 2018/06/04 06:19:22 No HTTP signaling detected. Using manual copy-paste signaling. 2018/06/04 06:19:22 Waiting for a "signal" pipe... ^C
I didn't find any special requirement for the user who runs snowflake-client from the documentation, so it would be extremely helpful and appreciated if you could share some insights on this problem. :) Best Regards, iry -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzKSpZKlpRovTotu+oUtNvG3N1TwFAlseXpcACgkQoUtNvG3N 1Tx/fBAAvnl84inklNYJ4N0QRz9X9FAtmTlTTb4mrtW+WM36oaDEFigSZeha7pmw er+oV1hG1SlHf6iel2i6YyUXAi7r6YURqlv0fFtLMaelfAIda/ywEMwVsJ19VHzn qPPEADQVY4c55KuOgkhCMSTxGUn2wXbM+PpFf/WTaZ40gjPOjucUXUxlhwj6X6EX wTBiUEq2yjs4xyWSfgOinFuoPqLG5Hfx/z+1ZSyL2R0yeeK1kSiB5kD90mwfOeKq EM32xbYLy4OmQQ3cABHB2mn0wDaS8E2t22sHXhPNANdJTdM/ztcjI7BZjNMUz1Ig aQEVpLE2yvVQu4O3nyThLnH/b08z4a6oVVE7JQpG9rmLfoFuUbJ6vTF+l6nQTJOY mnkiL6RwGVerm612OXFOLBpHSBbToEX12tqqjC569s/OExcFzHpiiTg22HcOYab/ YSu4zUTX23wRBQhOkBQ7EL+idHGK7lwGN5d0Y45H7cwOoIXwXTu3ff1e6yjuT9Bx Pc+tlkw7vJGB5jhFuW9EYvjrWDklbpR7HZ7TTSkDvGvzXUkAZnCzyBAnePxwQbid 45Vwsn7QCFISsZdXCS53RPoVPbNGcSQTyWn4gv/U37Fb/pZ1LYYAJFcNOl5HB8fl nhXL9D7Mey/79n3hepChBUXpaNeHX9J+7R91A8tUjzz9irmhU8o= =Aie4 -----END PGP SIGNATURE-----
On Jun 11, 2018, at 7:35 AM, iry <iry@riseup.net> wrote:
Dear Tor developers,
I met a problem when trying to use the snowflake-client binary extracted from TBB 8.0a8 with the system Tor.
Specifically, it seems snowflake-client cannot be run by debian-tor user, regardless of the permissions it is given.
I am posting the full steps below. A better formatted version of it can be found here: http://forums.whonix.org/t/replacing-meek-snowflake/5190/18
Here is the original permission and ownership of snowflake-client:
user@host:~$ ls -l snowflake-client -rwx------ 1 user user 14160744 Jun 4 06:17 snowflake-client
It can be executed by user user:
user@host:~$ sudo -u user ./snowflake-client 2018/06/04 06:18:21
--- Starting Snowflake Client --- 2018/06/04 06:18:21 No HTTP signaling detected. Using manual copy-paste signaling. 2018/06/04 06:18:21 Waiting for a "signal" pipe... ^C
We now change the permission to let it executable by user debian-tor:
user@host:~$ sudo chmod 777 snowflake-client
user@host:~$ sudo -u debian-tor ./snowflake-client 2018/06/04 06:18:43
Noticed the permission denied:
--- Starting Snowflake Client --- 2018/06/04 06:18:43 No HTTP signaling detected. Using manual copy-paste signaling. 2018/06/04 06:18:43 Waiting for a "signal" pipe... 2018/06/04 06:18:43 open signal: permission denied
We now change its ownership to debian-tor:debian-tor:
user@host:~$ sudo chown debian-tor:debian-tor snowflake-client user@host:~$ ls -l snowflake-client -rwxrwxrwx 1 debian-tor debian-tor 14160744 Jun 4 06:17 snowflake-client
Still, permission denied:
user@host:~$ sudo -u debian-tor ./snowflake-client 2018/06/04 06:19:15
--- Starting Snowflake Client --- 2018/06/04 06:19:15 No HTTP signaling detected. Using manual copy-paste signaling. 2018/06/04 06:19:15 Waiting for a "signal" pipe... 2018/06/04 06:19:15 open signal: permission denied
However, when executing it by user, it works fine:
user@host:~$ sudo -u user ./snowflake-client 2018/06/04 06:19:22
--- Starting Snowflake Client --- 2018/06/04 06:19:22 No HTTP signaling detected. Using manual copy-paste signaling. 2018/06/04 06:19:22 Waiting for a "signal" pipe... ^C
I didn't find any special requirement for the user who runs snowflake-client from the documentation, so it would be extremely helpful and appreciated if you could share some insights on this problem. :)
When you launch the client binary without providing a broker url it tries to create a named pipe (mkfifo) to do signalling. https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/client... Try providing a -url as in, https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/client...
Best Regards, iry _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
On Mon, 11 Jun 2018 13:24:19 -0400 Arlo Breault <arlo@torproject.org> wrote:
When you launch the client binary without providing a broker url it tries to create a named pipe (mkfifo) to do signalling.
https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/client...
The PT spec explicitly forbids this behavior, to avoid this problem. https://gitweb.torproject.org/torspec.git/tree/pt-spec.txt#n188
"TOR_PT_STATE_LOCATION"
Specifies an absolute path to a directory where the PT is allowed to store state that will be persisted across invocations. The directory is not required to exist when the PT is launched, however PT implementations SHOULD be able to create it as required.
PTs MUST only store files in the path provided, and MUST NOT create or modify files elsewhere on the system.
Example:
TOR_PT_STATE_LOCATION=/var/lib/tor/pt_state/
Regards, -- Yawning Angel
On Mon, Jun 11, 2018 at 07:30:31PM +0000, Yawning Angel wrote:
On Mon, 11 Jun 2018 13:24:19 -0400 Arlo Breault <arlo@torproject.org> wrote:
When you launch the client binary without providing a broker url it tries to create a named pipe (mkfifo) to do signalling.
https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/client...
The PT spec explicitly forbids this behavior, to avoid this problem.
It's just a vestige of some early debugging code, don't worry about it. Before we had the broker and everything, you had to manually copy and paste rendezvous messages.
participants (4)
-
Arlo Breault -
David Fifield -
iry -
Yawning Angel