[tor-relays] Quick bugfix sharing regarding obfs4 malfunctioning
David Fifield
david at bamsoftware.com
Thu Sep 7 16:54:29 UTC 2023
On Thu, Sep 07, 2023 at 02:12:36PM +0200, telekobold wrote:
> I just want to share some quick bugfix with you (sorry if this is obvious to
> you or has been written somewhere else).
>
> Suddenly, I got the following error messages on my two bridges running on
> Debian 11 appearing in the logs (in /var/log/tor/notices.log and in the nyx
> output) every second until a restart:
>
> <timestamp> [warn] Managed proxy "/usr/bin/obfs4proxy" process terminated
> with status code 65280
> <timestamp> [warn] Server managed proxy encountered a method error. (obfs4
> listen tcp 0.0.0.0:443: bind: permission denied)
> <timestamp> [warn] Managed proxy '/usr/bin/obfs4proxy' was spawned
> successfully, but it didn't launch any pluggable transport listeners!
>
> When restarting the corresponding bridge, in the startup process the second
> and the third of the above warning messages again appeared in the logs. So
> obfs4 was suddenly not usable any more. Port 443 is not blocked in the
> bridge's firewalls.
>
> A bit research reveled that apparently, an automatic update set the systemd
> setting "NoNewPrivileges=no" in /lib/systemd/system/tor at default.service and
> tor at .service [1] back to yes, which caused the above issue. After setting it
> back and restarting, everything works fine now and instead of the warning
> messages mentioned above, the following message appears in the log again:
>
> <timestamp> [notice] Registered server transport 'obfs4' at '[::]:443'
There's a better way to set `NoNewPrivileges=no` that will not get
overwritten in an upgrade. Use a systemd override:
https://bugs.torproject.org/tpo/core/tor/18356#note_2439960
```
systemctl edit tor at .service tor at default.service
```
Enter this text in both editors that appear:
```
[Service]
NoNewPrivileges=no
```
Then run
```
service tor restart
```
This will create files /etc/systemd/system/tor at .service.d/override.conf
and /etc/systemd/system/tor at default.service.d/override.conf that will
not be overwritten in an upgrade.
More information about the tor-relays
mailing list