Linux Mint multiple sessions

[pwn0r]

Hello,

as good this app is, the documentation is lacking.

Took a while to install on Linux Mint 20, luckily someone provided a working solution in the issues. but that is besides the point, the problem is as follows:

I switched opensnitch into using TCP socket, so in theory it should be accessible from anywhere. However I cannot access it even locally but from another cinnamon session. This particular installation is actually a VM and I access it via XRDP.

Due to various issues it is not reliable to use the same session for both console and xrdp access (for instance ubuntu gnome definitely has problems there) so instead xrdp actually creates a session when logging for the first time.

Strangely it seems you can use opensnitchUI only in one session. If you start onepsnitchUI in console session and then login remotely to a new session, then onensnithUI does not connect to the service. Still, if you dont create a console session and login remotely as an exclusive cinnamon session then everything is good and opensnitch UI works as expected.

Suggestions?

[gustavo-iniguez-goya]

thank you for the report @pwn0r !

I haven't tested this scenario, so I have no idea what can be wrong. Could you enable DEBUG log level in the daemon, launch the UI from a terminal, and post the logs?

[gustavo-iniguez-goya]

Took a while to install on Linux Mint 20,

By the way, I don't know what problems you ran into, but I've just installed it on a fresh Mint 20.1 installation with the one-liner + answering yes to the dialog box to install dependencies. No errors at all. If you can reproduce the issue post any errors you have installing it please, so we can improve the user experience (ideally, I'd prefer Mint to packaged it for their distro O:) ).

[gustavo-iniguez-goya]

Ok, I've setup this scenario and performed some tests.

One thing to note, is that the GUI acts as a server, and it can accept n nodes. But if you have 1 node, you can't connect it to multiple GUIs (i.e.: servers).

Strangely it seems you can use opensnitchUI only in one session.

Yes, that's because the reason explained above.

If you start onepsnitchUI in console session and then login remotely to a new session, then onensnithUI does not connect to the service.

Correct, for the very same reason than above. In fact, if you have it running on one session and you launch from another one, the already running instance is closed.

[pwn0r]

Took a while to install on Linux Mint 20,

By the way, I don't know what problems you ran into, but I've just installed it on a fresh Mint 20.1 installation with the one-liner + answering yes to the dialog box to install dependencies. No errors at all. If you can reproduce the issue post any errors you have installing it please, so we can improve the user experience (ideally, I'd prefer Mint to packaged it for their distro O:) ).

regarding installation. Your wiki suggests

apt-get install g++ python3-dev python3-wheel python3-slugif

which is not working for linux mint 20, so it needs to be updated i think.

https://github.com/gustavo-iniguez-goya/opensnitch/issues/16 (im still confused which github I need to use for issues etc?) suggested the solution which worked. specifically this works: https://github.com/gustavo-iniguez-goya/opensnitch/issues/16#issuecomment-730129998

I remember for certain e.g. libnetfilter-queue1 missing after I install as suggested in the wiki.

And yes, after that typical linux one-liner :P you can install even from deb packages and it works.

[raboof]

im still confused which github I need to use for issues etc

The README at https://github.com/gustavo-iniguez-goya/opensnitch#readme points here. Perhaps we should 'archive' that one to make that more clear?

specifically this works: gustavo-iniguez-goya#16 (comment)

I remember for certain e.g. libnetfilter-queue1 missing after I install as suggested in the wiki.

Thanks for testing!

[gustavo-iniguez-goya]

@pwn0r thank you for the feedback. I'll review the wiki . The issues on LinuxMint were mainly on 19.x.

I remember for certain e.g. libnetfilter-queue1 missing after I install as suggested in the wiki.

with the one-liner command apt-get -f should resolve that dependency.

which is not working for linux mint 20, so it needs to be updated i think.

Would you mind please to post the errors you get when trying to install it? It's just to understand what's going on. mint's apt command differs from debian's, use apt-get instead.

[olosegres]

One thing to note, is that the GUI acts as a server, and it can accept n nodes. But if you have 1 node, you can't connect it to multiple GUIs (i.e.: servers).

May be it will be reasonable to move server into daemon, so multiple ui instances will be able to connect to it... Actually this seems to be an a point of issue problem.

I have similar problem, need to share pc with another person, using multiple user accounts to separate and save workspaces state. And need to run few ui instances from different users at the same time, but cant :(

Log from second ui instance (ubuntu 20.04 gnome):

E0419 02:23:49.587742500    9336 server_chttp2.cc:50]        {"created":"@1618788229.587717692","description":"No address added out of total 1 resolved","file":"src/core/ext/transport/chttp2/server/chttp2_server.cc","file_line":873,"referenced_errors":[{"created":"@1618788229.587713903","description":"Unable to configure socket","fd":22,"file":"src/core/lib/iomgr/tcp_server_utils_posix_common.cc","file_line":214,"referenced_errors":[{"created":"@1618788229.587709228","description":"Address already in use","errno":98,"file":"src/core/lib/iomgr/tcp_server_utils_posix_common.cc","file_line":188,"os_error":"Address already in use","syscall":"bind"}]}]}
Traceback (most recent call last):
  File "/usr/bin/opensnitch-ui", line 69, in <module>
    server.add_insecure_port("unix:%s" % socket)
  File "/usr/local/lib/python3.8/dist-packages/grpc/_server.py", line 961, in add_insecure_port
    return _common.validate_port_binding_result(
  File "/usr/local/lib/python3.8/dist-packages/grpc/_common.py", line 166, in validate_port_binding_result
    raise RuntimeError(_ERROR_MESSAGE_PORT_BINDING_FAILED % address)
RuntimeError: Failed to bind to address unix:/tmp/osui.sock; set GRPC_VERBOSITY=debug environment variable to see detailed error message.

It would be very convenient to use such behavior.

Overall you are doing a great job, thank you!

[raboof]

May be it will be reasonable to move server into daemon, so multiple ui instances will be able to connect to it

I'm not sure about this: this would also make it easier for a malicious process to connect, give itself access to the network, do some networking, and clean up after itself. If we make this possible, at least it should be optional.

Failed to bind to address unix:/tmp/osui.sock

I'm not familiar with this part of the codebase, but perhaps using TCP instead of the unix domain socket would already allow this? https://github.com/evilsocket/opensnitch/wiki/Configurations

[gustavo-iniguez-goya]

May be it will be reasonable to move server into daemon, so multiple ui instances will be able to connect to it

That would change the current design, which I think is more common: managing n nodes from 1 server.

However, it's true that we could split the GUI into 2 components: daemon (aka the server) and UI (GUI, or TUI or a web interface). At the very least, that would allow us to view the events from multiple sessions. https://github.com/gustavo-iniguez-goya/opensnitch/commit/f1d406f19b75248702b1e8b5480c9b227c3d4de5

I have similar problem, need to share pc with another person, using multiple user accounts to separate and save workspaces state. And need to run few ui instances from different users at the same time, but cant :(

I'm curious, why do you need to run multiple ui instances at the same time? is it completely necessary? Could you explain your use case a little bit more? Maybe you could configure it to run only for one user that would act as the admin (by removing /home/$user/.config/autostart/opensnitch_ui.desktop for the rest of the users), and configure the needed rules for the all the users.

[olosegres]

@gustavo-iniguez-goya

I need to keep intact my workspace with all running applications, while computer using by another person. Separation of workspaces is very convenient for this purpose. But that person sometimes is uncomfortable with applications that starting first time and can't get access to internet (may be it is even good for sequrity, but it would be more convenient to have such an opportunity).

[gustavo-iniguez-goya]

I see, I guess that you have installed opensnitch recently. Once you configure the rules for your environment, you shouldn't notice that it's running. In the case of installing a new app, just create a rule allowing it, monitor it for some time, and decide how to restrict/allow it.