Sandbox causes crash when creating a hidden service through the control port
I'm trying to squash a bug with running OnionShare in Tails and I've narrowed it down to a bug in the Tor server in sandbox mode. Here's the related OnionShare issue: https://github.com/micahflee/onionshare/issues/179
Here's a simple script that creates a hidden service using the Tor control port, with stem and flask:
import os
from stem.control import Controller
from flask import Flask
def main():
# set up flask
app = Flask("example")
@app.route('/')
def index():
return "<h1>Testing Tor sandbox!</h1>"
# set up hidden service
controller = Controller.from_port()
controller.authenticate()
hs_dir = '/tmp/bugtest'
print "Creating our hidden service in %s" % hs_dir
controller.set_options([
('HiddenServiceDir', hs_dir),
('HiddenServicePort', '80 127.0.0.1:5000')
])
onion = open(hs_dir + "/hostname", "r").read().strip()
print 'Running on {0}'.format(onion)
# start web app
app.run(port=5000)
if __name__ == '__main__':
main()(Note that you need to manually delete /tmp/bugtest before running this script a second time.)
If you set "Sandbox 0" in torrc and run this script, it works great, and the output looks like this:
user@dev:~/code/tor-sandbox-hs-bug$ sudo python tor-sandbox-hs-bug.py
Creating our hidden service in /tmp/bugtest
Running on 3ekculjvzye6zr6s.onion
* Running on http://127.0.0.1:5000/
127.0.0.1 - - [18/May/2015 15:37:56] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [18/May/2015 15:37:59] "GET /favicon.ico HTTP/1.1" 404 -But if you set "Sandbox 1" in torrc and run the same script again, the script throws an exception and tor crashes:
user@dev:~/code/tor-sandbox-hs-bug$ sudo python tor-sandbox-hs-bug.py
Creating our hidden service in /tmp/bugtest
Traceback (most recent call last):
File "tor-sandbox-hs-bug.py", line 32, in <module>
main()
File "tor-sandbox-hs-bug.py", line 22, in main
('HiddenServicePort', '80 127.0.0.1:5000')
File "/usr/lib/python2.7/dist-packages/stem/control.py", line 1859, in set_options
response = self.msg(query)
File "/usr/lib/python2.7/dist-packages/stem/control.py", line 469, in msg
raise exc
stem.SocketClosed: Received empty socket content.Here's what ends up in the tor log:
May 18 15:38:48.000 [notice] New control connection opened from 127.0.0.1.
May 18 15:38:48.000 [notice] Tor 0.2.5.12 (git-3731dd5c3071dcba) opening log file.
May 18 15:38:48.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /tmp/bugtest
May 18 15:38:48.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /tmp/bugtest/private_key
May 18 15:38:48.000 [warn] sandbox_intern_string(): Bug: No interned sandbox parameter found for /tmp/bugtest/private_key.tmp
============================================================ T= 1431988728
(Sandbox) Caught a bad syscall attempt (syscall open)
/usr/bin/tor(+0x128176)[0x7f1391729176]
/lib/x86_64-linux-gnu/libpthread.so.0(open64+0x10)[0x7f13901fa1d0]
/lib/x86_64-linux-gnu/libpthread.so.0(open64+0x10)[0x7f13901fa1d0]
/usr/bin/tor(tor_open_cloexec+0x40)[0x7f1391715380]
/usr/bin/tor(start_writing_to_file+0xf2)[0x7f1391724182]
/usr/bin/tor(+0x1232eb)[0x7f13917242eb]
/usr/bin/tor(+0x123438)[0x7f1391724438]
/usr/bin/tor(crypto_pk_write_private_key_to_filename+0xcb)[0x7f1391731b6b]
/usr/bin/tor(init_key_from_file+0x172)[0x7f1391668302]
/usr/bin/tor(+0x5a36e)[0x7f139165b36e]
/usr/bin/tor(rend_service_load_all_keys+0x81)[0x7f139165d451]
/usr/bin/tor(set_options+0xc5f)[0x7f13916bff5f]
/usr/bin/tor(options_trial_assign+0xbb)[0x7f13916c14fb]
/usr/bin/tor(+0xdbe2e)[0x7f13916dce2e]
/usr/bin/tor(connection_control_process_inbuf+0x776)[0x7f13916e1056]
/usr/bin/tor(+0xcbd95)[0x7f13916ccd95]
/usr/bin/tor(+0x34a21)[0x7f1391635a21]
/usr/lib/x86_64-linux-gnu/libevent-2.0.so.5(event_base_loop+0x7fc)[0x7f1390c8a3dc]
/usr/bin/tor(do_main_loop+0x194)[0x7f1391637204]
/usr/bin/tor(tor_main+0x1705)[0x7f139163a035]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7f138fc5fb45]
/usr/bin/tor(+0x3279b)[0x7f139163379b]