[tor-relays] Standalone obfsproxy apparmor profile etc.

thegreatwent at Safe-mail.net thegreatwent at Safe-mail.net
Wed Nov 12 23:53:10 UTC 2014


I fixed the logging issue by changing "/var/log/tor/log rw," in the profile to "/var/log/tor/obfsproxy rw,"; and changing the value in my service script to:
DAEMON="/usr/bin/obfsproxy -- --profile=/usr/bin/obfsproxy -- /usr/bin/obfsproxy --log-file=/var/log/tor/obfsproxy --log-min-severity=info obfs3 --dest $DEST server $SERVER"
I also changed to PIDFILE="/var/run/obfsproxy.pid" because the earlier version didn't work on reboot.

Now I can see I am getting traffic! 8 unique addresses in the past hour etc.

So that mostly just leaves open the question of why managed mode obfsproxy wants to read /etc/passwd and nsswitch.conf? Is this the wrong place to ask?
 

-------- Original Message --------
From: thegreatwent at Safe-mail.net
Apparently from: tor-relays-bounces at lists.torproject.org
To: tor-relays at lists.torproject.org
Subject: [tor-relays] Standalone obfsproxy apparmor profile etc.
Date: Tue, 11 Nov 2014 18:01:16 -0500

> Not sure if this is the right place to post or if this will help anybody, but I think I figured out how to run a standalone (NOT managed) obfs3 obfsproxy on Ubuntu 14.04 with a somewhat confined apparmor profile running under the debian-tor user.
> 
> I verified this by looking at ps and it shows "debian-tor [...] /usr/bin/python /usr/bin/obfsproxy obfs3[...]". AA-STATUS says /usr/bin/obfsproxy is in enforce mode, and removing "network inet stream," for example from the aa profile results in obfsproxy failing to start.
> 
> The line in the profile for "/usr/** r," is ugly, but replacing it with "/usr/bin/** r," didn't work. Obfsproxy log messages also seem to be going to /dev/null, so I'm missing something there.
> 
> So Linux/Apparmor experts, is there anything bad/wrong with this setup? Am I relatively safe from bad guys hacking into my obfsproxy ports? How can I see if the good guys are using it successfully?
> 
> The aa profile does not work for managed instances of obfsproxy. It complained about wanting read access to nsswitch.conf and /etc/passwd and I don't know enough python to understand why it wants that, so I didn't add it.
> 
> Below is also attached:
> 
> /etc/tor/torrc [just the relevant lines, using iptables to redirect from advertised obfs3port to actual] 
> 
> -------------------
> ServerTransportPlugin obfs3 proxy a.b.c.d:[advertisedobfs3port]
> ExtORPort auto
> -------------------
> 
> 
> /etc/apparmor.d/usr.bin.obfsproxy
> 
> -------------------
> # vim:syntax=apparmor
> #include <tunables/global>
> 
> /usr/bin/obfsproxy {
>   #include <abstractions/base>
>   #include <abstractions/python>
>   network inet stream,
> 
>   /var/log/tor/log rw,
>   /dev/urandom r,
>   /dev/random r,
>   /usr/** r,
>   /usr/bin/obfsproxy rix,
> 
> }
> -------------------
> 
> 
> /etc/init.d/obfsproxy
> 
> -------------------
> #!/bin/bash
> 
> PIDFILE="/var/run/obfsproxy/obfsproxy.pid"
> DEST="127.0.0.1:[ORPort]"
> SERVER="a.b.c.d:[obfs3port]"
> DAEMON="/usr/bin/obfsproxy -- --profile=/usr/bin/obfsproxy -- /usr/bin/obfsproxy obfs3 --dest $DEST server $SERVER"
> 
> ### BEGIN INIT INFO
> # Provides: Obfsproxy
> # Required-Start:
> # Required-Stop:
> # Default-Start: 2 3 4 5
> # Default-Stop: 0 1 6
> # Short-Description: Obfsproxy
> ### END INIT INFO
> 
> case "$1" in
> start)
> echo "Starting Obfsproxy"
> 
> /sbin/start-stop-daemon --make-pidfile --background --oknodo --start --pidfile $PIDFILE \
>   --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON
> ;;
> stop)
> echo "Stopping Obfsproxy"
> 
> /sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose
> ;;
> restart|reload)
> /sbin/start-stop-daemon --stop --pidfile $PIDFILE --verbose
> sleep 1
> /sbin/start-stop-daemon --make-pidfile --background --oknodo --start --pidfile $PIDFILE \
>   --chuid debian-tor:debian-tor --startas /usr/sbin/aa-exec --exec $DAEMON
> ;;
> *)
> echo "Usage: /etc/init.d/obfsproxy {start|stop|restart|reload}"
> exit 1
> ;;
> esac
> 
> exit 0
> -------------------


More information about the tor-relays mailing list