[tor-bugs] #7875 [Tor]: debian obfsproxies can't advertise ports under 1024
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Mar 15 01:13:51 UTC 2015
#7875: debian obfsproxies can't advertise ports under 1024
------------------------+------------------------------
Reporter: arma | Owner: asn
Type: defect | Status: needs_review
Priority: normal | Milestone: Tor: unspecified
Component: Tor | Version:
Resolution: | Keywords: tor-bridge
Actual Points: | Parent ID:
Points: |
------------------------+------------------------------
Comment (by yawning):
Replying to [comment:18 weasel]:
> setcapping the binary would allow any user to listen on any low port
using the binary. I don't think it's a good general purpose solution for
a distribution.
I agree. IMO it's not a package's place to dictate security policy, at
least not for something like `obfs4proxy`. I still think it should be
mentioned along with a detailed port forwarding example in our
documentation, since those are the two current solutions for this issue.
Replying to [comment:19 isis]:
> Replying to [comment:17 yawning]:
> > FTE/ScrambleSuit still use the old python codebase so those require
further investigation.
>
> `setcap`ing Python scripts also works just fine. (We used to do it with
OONI to give raw socket capabilities without giving the script root
privileges.)
It shouldn't unless you were `setcap`ing the python binary....
As a simple test:
{{{
#!/usr/bin/python2
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('127.0.0.1', 9))
s.listen(5)
}}}
Baseline behavior:
{{{
ypres :: ~ % ./discard.py
Traceback (most recent call last):
File "./discard.py", line 4, in <module>
s.bind(('127.0.0.1', 9))
File "/usr/lib/python2.7/socket.py", line 224, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 13] Permission denied
ypres :: ~ % sudo ./discard.py
ypres :: ~ %
}}}
`setcap` the script along with the `#!` handler, or `/usr/bin/python2
discard.py`:
{{{
ypres :: ~ % sudo setcap 'cap_net_bind_service=+ep'
/home/yawning/discard.py
ypres :: ~ % ./discard.py
Traceback (most recent call last):
File "./discard.py", line 4, in <module>
s.bind(('127.0.0.1', 9))
File "/usr/lib/python2.7/socket.py", line 224, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 13] Permission denied
}}}
Use a python interpreter with elevated privileges:
{{{
ypres :: ~ % cp /usr/bin/python2 ./python2-setcapped
ypres :: ~ % sudo setcap 'cap_net_bind_service=+ep'
/home/yawning/python2-setcapped
ypres :: ~ % ./python2-setcapped discard.py
ypres :: ~ %
}}}
dgoulet's patch *should* produce behavior identical to the last case,
unless there's other weirdness going on.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7875#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list