Closed conorsch closed 8 years ago
It appears likely that Tor 0.2.8.6 changed the included AppArmor profile, which is causing this breakage. Others are reporting the same issue in the comments on the official release notes. Unfortunately there is no mention of changes to AppArmor in the release notes themselves, so I'm diffing the current and previous packages to try to find what changed.
Relevant syslog from AppArmor:
Aug 4 17:25:08 mon-staging kernel: [ 186.495333] audit: type=1400 audit(1470331508.136:26): apparmor="DENIED" operation="open" profile="system_tor" name="/var/lib/tor/services/ssh/" pid=643 comm="tor" requested_mask="r" denied_mask="r" fsuid=0 ouid=106
For those following along at home:
Ok, after discussing this issue with some Tor developers on IRC, here's what happened.
debian-tor
user.check_private_dir
function, which is used to check various things about the state of the filesystem while Tor is in the initial phase of running as root. This includes checking for the existence any hidden service directories specified in torrc.0.2.8.6-1~trusty+1
), the profile allowed debian-tor
to read any files under /var/lib/tor
. See https://gitweb.torproject.org/debian/tor.git/tree/debian/tor.apparmor-profile?id=debian-tor-0.2.8.6-1#n7, specifically the line: owner /var/lib/tor/** rwk
.
/var/lib/tor
.check_private_dir
, Tor also needs to be allowed to read files in subdirectories of /var/lib/tor
while it's running as root. However, the AppArmor rule in 0.2.8.6-1~trusty+1
only allowed this for owner
, aka the debian-tor
user.The simplest fix is to change the AppArmor profile to allow Tor to read all files under /var/lib/tor
, regardless of which user it's running as. This is implemented in 0.2.8.6-2 and documented in the changelog.
This fix has been tested in a SecureDrop staging environment and was confirmed to work there.
The updated packages for Ubuntu will become available on the Tor Project's Debian repository shortly (we'll post here when we've confirmed it's available). To fix this issue, you should install the updated Tor package, 0.2.8.6-2~trusty+1
, which includes the fixes to the AppArmor profiles.
For most people, the best move is to sit tight and wait for SecureDrop to automatically upgrade, which will happen for everybody within 24 hours of the updated Tor package's release. This should automatically fix the issue, and within minutes your hidden services will begin working again and your SecureDrop will be available again.
If you want to get your SecureDrop online ASAP, you will still need to wait for Tor to release the updated packages. Once they do, you can log in to the servers and manually run cron-apt
as root, which will trigger the same update as would have happened automatically, immediately. It is important to note that SecureDrop's SSH is only available as a Tor Hidden Service, so as a result of this issue with Tor, it is unavailable. Therefore, if you want to hasten the update by applying it manually, you will need console access to your SecureDrop servers.
Great write-up @garrettr, thanks for your hard work on this! And kudos to the Tor Project for their fast response time.
The updated package is live:
vagrant@app-staging:~$ apt-cache policy tor
tor:
Installed: 0.2.8.6-2~trusty+1
Candidate: 0.2.8.6-2~trusty+1
Version table:
*** 0.2.8.6-2~trusty+1 0
500 http://deb.torproject.org/torproject.org/ trusty/main amd64 Packages
100 /var/lib/dpkg/status
0.2.4.27-1build0.14.04.1 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe amd64 Packages
500 http://security.ubuntu.com/ubuntu/ trusty-security/universe amd64 Packages
0.2.4.20-1 0
500 http://us.archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages
Hidden services are working normally again.
Instances are recovering well. If you run SecureDrop and are having trouble, contact us: http://securedrop-support.readthedocs.org/
The new version of tor, 0.2.8.6, causes hidden services to fail in SecureDrop. Release notes for 0.2.8.6 here.
This means that all SecureDrop instances are inaccessible. This includes Source Interface, Document Interface, and SSH access.
In a VM, the problem was simple to reproduce:
Investigating solutions now.