[tor-bugs] #18356 [Core Tor/Tor]: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Feb 10 18:39:48 UTC 2020
#18356: obfs4proxy cannot bind to <1024 port with systemd hardened service unit
-------------------------------------------------+-------------------------
Reporter: irregulator | Owner: asn
Type: defect | Status: new
Priority: Low | Milestone: Tor:
| unspecified
Component: Core Tor/Tor | Version: Tor:
| 0.2.7.4-rc
Severity: Normal | Resolution:
Keywords: obfs4proxy, systemd, jessie, tor-pt | Actual Points:
Parent ID: | Points: 15
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by phw):
I recently had a chat with weasel about the same topic. He would be happy
to mention the above in README.Debian if we can provide a patch. Weasel
also finds setcap scary and considers a NAT/firewall rule from a low to a
high port more reasonable. The problem is that `ServerTransportListenAddr`
has no equivalent for `ORPort`'s `NoListen` directive, and is generally
[https://trac.torproject.org/projects/tor/ticket/29285#comment:5 due for
an overhaul].
[https://community.torproject.org/relay/setup/bridge/ Our bridge setup
guides] still advise to overwrite the original systemd config file, which
is bad because it gets overwritten when the obfs4proxy package is updated.
In fact, I think we are having the same problem with the obfs4proxy
binary, which may lose its `CAP_NET_BIND_SERVICE` capability once the
package is updated and the file overwritten. We should fix this.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18356#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list