[tor-relays] Did obfs4proxy stopped working for you on Debian Buster or Bullseye?

s7r s7r at sky-ip.org
Fri Sep 3 17:03:28 UTC 2021 

s7r wrote:
> Hello,
> 
> I think it has something to do with our hardening configuration. On 
> Debian Bullseye, I start my bridge with log info and I get:
> 
> [info] process_exec(): Starting new process: /usr/local/bin/obfs4proxy
> [info] launch_managed_proxy(): Managed proxy at 
> '/usr/local/bin/obfs4proxy' has spawned with PID '1856'.
> 
> When I start the bridge (using systemd/systemctl), there are no Tor 
> processes or obfs4proxy processes running on the machine.
> 
> After it logs that info that it has spawned with another PID, I can find 
> that PID in my system as DEFUNCT.
> 
> # ps aux | grep tor
> debian-+    1855 91.9  5.7 243532 230668 ?       Rs   17:28   0:15 
> /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc 
> -f /etc/tor/torrc --RunAsDaemon 0
> debian-+    1856  5.2  0.0      0     0 ?        Z    17:28   0:00 [tor] 
> <defunct>
> 
> 
> Wonder what is causing this. I am using the default install from 
> deb.tp.o just with NoNewPrivileges=no to tor at default.service and 
> tor at .service.
> 
> I also find it buggy that this is at info level.
> 
>
Fixed it. this was due to apparmor incorrect settings.

The obfs4proxy process was being killed by apparmor:

audit[2994]: AVC apparmor="DENIED" operation="exec" profile="system_tor" 
name="/usr/local/bin/obfs4proxy" pid=2994 comm="tor" requested_mask="x" 
denied_mask="x" fsuid=107 ouid=0


kernel: audit: type=1400 audit(1630685584.124:19): apparmor="DENIED" 
operation="exec" profile="system_tor" name="/usr/local/bin/obfs4proxy" 
pid=2994 comm="tor" requested_mask="x" denied_mask="x" >

And this is because my obfs4proxy executable was installed in a 
different path than /usr/bin/obfs4proxy which is in the "deafult" 
shipped apparmor settings for Tor.

All I had to do was to edit /etc/apparmor.d/abstractions/tor

and change from:

/usr/bin/obfs4proxy Pix,

to

/usr/local/bin/obfs4proxy Pix,

and

$ sudo service apparmor reload

And it worked. This extra step is in addition to setcap +ep obfs4proxy 
and NoNewPrivileges=no in /lib/systemd/system/tor at default.service and 
/lib/systemd/system/tor at .service and it's only necessary if you install 
obfs4proxy (or other pluggable transport) in a different location that 
/usr/bin/$transport, otherwise it works normally.

Thanks for reading and sorry about the noise. Logged 
https://gitlab.torproject.org/tpo/core/tor/-/issues/40459 to improve the 
wiki and maybe escalade the log level for those two messages.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20210903/cf959af3/attachment.sig>

More information about the tor-relays mailing list