[tor-dev] permission denied when running snowflake-client with debian-tor user

Discussion:

iry

2018-06-11 11:35:00 UTC

Dear Tor developers,

I met a problem when trying to use the snowflake-client binary
extracted from TBB 8.0a8 with the system Tor.

Specifically, it seems snowflake-client cannot be run by debian-tor
user, regardless of the permissions it is given.

I am posting the full steps below. A better formatted version of it
can be found here:
http://forums.whonix.org/t/replacing-meek-snowflake/5190/18

Jun 4 06:17 snowflake-client
--- Starting Snowflake Client --- 2018/06/04 06:18:21 No HTTP
signaling detected. Using manual copy-paste signaling. 2018/06/04
06:18:21 Waiting for a "signal" pipe... ^C
We now change the permission to let it executable by user
06:18:43
--- Starting Snowflake Client --- 2018/06/04 06:18:43 No HTTP
signaling detected. Using manual copy-paste signaling. 2018/06/04
06:18:43 Waiting for a "signal" pipe... 2018/06/04 06:18:43 open
signal: permission denied
debian-tor 14160744 Jun 4 06:17 snowflake-client
06:19:15
--- Starting Snowflake Client --- 2018/06/04 06:19:15 No HTTP
signaling detected. Using manual copy-paste signaling. 2018/06/04
06:19:15 Waiting for a "signal" pipe... 2018/06/04 06:19:15 open
signal: permission denied
--- Starting Snowflake Client --- 2018/06/04 06:19:22 No HTTP
signaling detected. Using manual copy-paste signaling. 2018/06/04
06:19:22 Waiting for a "signal" pipe... ^C

I didn't find any special requirement for the user who runs
snowflake-client from the documentation, so it would be extremely
helpful and appreciated if you could share some insights on this
problem. :)

Best Regards,
iry

Arlo Breault

2018-06-11 17:24:19 UTC

Permalink

Post by iry
Dear Tor developers,
I met a problem when trying to use the snowflake-client binary
extracted from TBB 8.0a8 with the system Tor.
Specifically, it seems snowflake-client cannot be run by debian-tor
user, regardless of the permissions it is given.
I am posting the full steps below. A better formatted version of it
http://forums.whonix.org/t/replacing-meek-snowflake/5190/18

When you launch the client binary without providing a broker url
it tries to create a named pipe (mkfifo) to do signalling.

https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/client/rendezvous.go#n161

Try providing a -url as in,
https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/client/torrc

Post by iry
Best Regards,
iry
_______________________________________________
tor-dev mailing list
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Yawning Angel

2018-06-11 19:30:31 UTC

Permalink

On Mon, 11 Jun 2018 13:24:19 -0400

Post by Arlo Breault
When you launch the client binary without providing a broker url
it tries to create a named pipe (mkfifo) to do signalling.
https://gitweb.torproject.org/pluggable-transports/snowflake.git/tree/client/rendezvous.go#n161

The PT spec explicitly forbids this behavior, to avoid this problem.

https://gitweb.torproject.org/torspec.git/tree/pt-spec.txt#n188

Post by Arlo Breault
"TOR_PT_STATE_LOCATION"
Specifies an absolute path to a directory where the PT is
allowed to store state that will be persisted across
invocations. The directory is not required to exist when
the PT is launched, however PT implementations SHOULD be
able to create it as required.
PTs MUST only store files in the path provided, and MUST NOT
create or modify files elsewhere on the system.
TOR_PT_STATE_LOCATION=/var/lib/tor/pt_state/

Regards,

--
Yawning Angel

David Fifield

2018-06-11 19:59:17 UTC

Permalink

Post by Yawning Angel
On Mon, 11 Jun 2018 13:24:19 -0400

The PT spec explicitly forbids this behavior, to avoid this problem.

It's just a vestige of some early debugging code, don't worry about it.
Before we had the broker and everything, you had to manually copy and
paste rendezvous messages.