Skip to content
GitLab
Closed (moved) (moved)
Issue created by Trac@tracbot

obfs4proxy cannot bind to <1024 port with systemd hardened service unit

Hi,

I was running an obfs4proxy Debian Wheezy bridge with such configuration in torrc:

ServerTransportListenAddr obfs4 0.0.0.0:443

When I dist-upgraded to Debian Jessie, obfs4proxy could not bind to :443 any more, while tor logs had such messages:

Feb 21 22:51:09.000 [warn] Server managed proxy encountered a method error. (obfs4 listen tcp 0.0.0.0:443: bind: permission denied)
Feb 21 22:51:09.000 [warn] Managed proxy at '/usr/bin/obfs4proxy' failed the configuration protocol and will be destroyed.

Mind that I have already set the appropriate capability to the obfs4proxy binary:

getcap /usr/bin/obfs4proxy                
/usr/bin/obfs4proxy = cap_net_bind_service+ep

I took some time moving things around and I think the problem resides on the systemd service unit: https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in and specifically the option introduced in b4170421cc58d8c57254f4224ba259e817f48869 .

NoNewPrivileges=yes

I assume so because flipping 'NoNewPrivileges=no' results in obfs4proxy binding to 443. Also, 'PR_SET_NO_NEW_PRIVS' section in 'man 2 prctl' implies so:

PR_SET_NO_NEW_PRIVS (since Linux 3.5)
              Set  the  calling  process's  no_new_privs  bit to the value in arg2.  With
              no_new_privs set to 1, execve(2) promises not to  grant  privileges  to  do
              anything  that  could  not  have  been done without the execve(2) call (for
              example, rendering the set-user-ID and set-group-ID  permission  bits,  and
              file  capabilities  non-functional).   Once  set, this bit cannot be unset.
              The setting of this bit is inherited by children  created  by  fork(2)  and
              clone(2), and preserved across execve(2).

              For   more   information,   see   the   kernel   source   file   Documenta‐
              tion/prctl/no_new_privs.txt.

I understand that 'NoNewPrivileges=no' is a system security drawback but I also consider a regression to not be able to bind obfs4proxy to ports <1024. Could we find a middle ground?

If that helps, I'm running:

tor: 0.2.7.6-1~d80.jessie+1                                                         
deb.torproject.org/torproject.org/ jessie/main amd64 Packages 

obfs4proxy: 0.0.4-1~tpo1
deb.torproject.org/torproject.org/ obfs4proxy/main amd64 Packages

Also:

cat /etc/debian_version 
8.3
cat /proc/version 
Linux version 3.16.0-4-amd64 (debian-kernel@lists.debian.org) (gcc version 4.8.4 (Debian 4.8.4-1) ) #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17)

Thanks for your work.

Trac:
Username: irregulator

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information