[tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 10 18:39:48 UTC 2020


#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-------------------------------------------------+-------------------------
 Reporter:  irregulator                          |          Owner:  asn
     Type:  defect                               |         Status:  new
 Priority:  Low                                  |      Milestone:  Tor:
                                                 |  unspecified
Component:  Core Tor/Tor                         |        Version:  Tor:
                                                 |  0.2.7.4-rc
 Severity:  Normal                               |     Resolution:
 Keywords:  obfs4proxy, systemd, jessie, tor-pt  |  Actual Points:
Parent ID:                                       |         Points:  15
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by phw):

 I recently had a chat with weasel about the same topic.  He would be happy
 to mention the above in README.Debian if we can provide a patch.  Weasel
 also finds setcap scary and considers a NAT/firewall rule from a low to a
 high port more reasonable. The problem is that `ServerTransportListenAddr`
 has no equivalent for `ORPort`'s `NoListen` directive, and is generally
 [https://trac.torproject.org/projects/tor/ticket/29285#comment:5 due for
 an overhaul].

 [https://community.torproject.org/relay/setup/bridge/ Our bridge setup
 guides] still advise to overwrite the original systemd config file, which
 is bad because it gets overwritten when the obfs4proxy package is updated.
 In fact, I think we are having the same problem with the obfs4proxy
 binary, which may lose its `CAP_NET_BIND_SERVICE` capability once the
 package is updated and the file overwritten. We should fix this.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18356#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list