warning: process /usr/lib/postfix/sbin/smtp_tor pid 197606 exit status 134

[keyandthegate]

I can't get this to work for postfix. All I see in the log is:

postfix/master[197567]: warning: process /usr/lib/postfix/sbin/smtp_tor pid 197606 exit status 134
postfix/master[197567]: warning: /usr/lib/postfix/sbin/smtp_tor: bad command startup -- throttling

I've found one person who seems to have had a similar problem: https://endchan.net/os/res/2.html#240

Is this still working for anyone else?

I ran strace and got:

1656582307 WARNING torsocks[1946690]: [syscall] Unsupported syscall number 39. Denying the call (in tsocks_syscall() at syscall.c:604)
1656582307 WARNING torsocks[1946690]: [syscall] Unsupported syscall number 39. Denying the call (in tsocks_syscall() at syscall.c:604)
1656582307 WARNING torsocks[1946690]: [syscall] Unsupported syscall number 39. Denying the call (in tsocks_syscall() at syscall.c:604)
...
Assertion 'fclose_nointr(f) != -EBADF' failed at src/basic/fd-util.c:126, function safe_fclose(). Aborting.
Aborted (core dumped)

[keyandthegate]

It looks like maybe I need to upgrade to torsocks version 2.4.0 to get this fix:
https://gitlab.torproject.org/tpo/core/torsocks/-/issues/29659

[keyandthegate]

I also needed -o inet_protocols=ipv4 or torsocks would reject the call to socket(..) by smtp.

[keyandthegate]

Sending onion mail seems unusable (randomly stops working) due to torsocks abandonment of ipv6 support:
https://bugs.launchpad.net/ubuntu/+source/torsocks/+bug/1975416

Edit: No longer sure. I might update this when I get more info.

[duritong]

Yeah, there is some random person going around multiple distros and claiming torsocks is abandonware (https://bugzilla.redhat.com/show_bug.cgi?id=2089005), but there is work on the way (e.g. https://gitlab.torproject.org/tpo/core/torsocks/-/issues/40009)

[keyandthegate]

I've been passing --ipv6 to torsocks 2.4.0 and I think that may have fixed my problem.

Now I'm trying to figure out why tor can't access a unix socket based on adding the tor user to a group.
It looks like maybe the fact the tor process sets its group with setgid (See the torrc "User" setting, and the fact it starts as the root user at first) means it doesn't set supplementary groups? idk. But I can access it with sudo -u _tor-myuser and tor can't access it without global read permissions. And when I ps -o gid,rgid,supgid $tor_process_id it's missing the supplementary group I added, even though that's present if I check the supgid for my sudo -u process.

I asked on stackexchange:
https://tor.stackexchange.com/questions/23225/tor-cant-read-hiddenserviceport-unix-socket-through-group-permissions-when-star.

[keyandthegate]

I got an answer on tor irc:

    <ketyn> Is it intended that tor doesn't set supplementary groups when starting as root and then doing setgid? This describes my issue: https://tor.stackexchange.com/questions/23225/tor-cant-read-hiddenserviceport-unix-socket-through-group-permissions-when-star
    <ketyn> I see many threads on the internet of people claiming that tor unix socket permissions aren't working for them and while sometimes it turns out to be apparmor/SELinux, I think this might be biting other people too
    <ketyn> I think significant numbers of people might just be giving up and making their unix socket globally readable, or switching to numbered port based sockets rather than unix domain sockets.
    <arma> ketyn: we had a series of security surprises in the past with how we did groups and dropping privs,
    <arma> and we settled on what we do now as the safest option
    <ketyn> Alright, I guess I'll need to either make the sockets tor listens to owned by the tor user, or use socat to forward. Maybe there's a documentation fix to apply here though.
    <ketyn> tor forwards to*
    <bentham> ketyn: What are you doing that would make that necessary?
    <bentham> Is the default not working for you for some reason?
    <bentham> Also, which socket(s) is(are) causing issues for you?  Is it something in /run/tor?
    <ketyn> I want to make a tor hidden service listening to port 25, connected to a socket at /var/spool/postfix-test/public/smtpd owned by the user postfix-queue
    <ketyn> According to postfix, I'm then supposed to add whatever user I want to read to that socket to the group postfix-queue
    <arma> ketyn: hmmm
    <arma> for the control socket see the GroupWritable flags
    <arma> ControlSocket /run/tor/control GroupWritable RelaxDirModeCheck
    <arma> ControlSocketsGroupWritable 1
    <arma> this is how you can add your username to the tor group and then have permissions to connect with a controller
    <ketyn> This is not a control socket. This is a hidden service. e.g. HiddenServicePort 25 unix:/var/spool/postfix-test/public/smtpd
    <arma> i don't think anybody has built something similar for the onion service lines
    <arma> but i think that tor is not dropping the groups, it simply is not letting you use the group permission there
    <ketyn> I want to be able to receive email over a hidden service. Like in https://github.com/ehloonion/onionmx
    <ketyn> > <arma> but i think that tor is not dropping the groups, it simply is not letting you use the group permission there
    <ketyn> Huh, ok.
    <arma> i say that because being in the group, for the control port, does work
    <arma> so it's not like the group got dropped
    <arma> check out the UnixSocksGroupWritable config option
    <arma> maybe it will help what you want
    <bentham> ketyn: Out of curiosity, why is your smtpd listening on a socket rather than, say, 127.0.0.1:25?
    <arma> looks like no, it won't do what you want, because UnixSocksGroupWritable doesn't apply to hiddenservice lines
    <ketyn> bentham: Because it seems more secure and means I don't have to worry about port conflicts or firewalls, and deploy this setup to computers I don't have full control over.
    <ketyn> Here's another good reason I saw: https://github.com/freedomofpress/securedrop/issues/1261
    <ketyn> "because applications sometimes (fairly) assume that localhost has a different threat model than an externally exposed service. Most recently, this common configuration lead to some hidden services exposing sensitive information through the Apache mod_status module"
    ...
    <arma> actually arma said "just barely possible that the network team would take a good patch"
    <arma> not quite the same as "probably not take"
    <arma> but yes, more generally, there is vast confusion about what permissions are *supposed* to be, what groups happen by default in debian/ubuntu, what the SELinux and Apparmor policies do, etc
    <arma> i think most people are probably doing it wrong but i don't even know what right is
    <arma> i end up putting all my onion service directories in /tmp/ so they work, and that cannot at all be right

So I'll probably use socat to forward to the smtpd socket, from a socket owned by the tor user.

[keyandthegate]

This is working for me now. I think this should be left open until torsocks 2.4.0 is released and then closed.

[duritong]

torsocks 2.4.0 has been released a while ago: https://gitlab.torproject.org/tpo/core/torsocks/-/releases/v2.4.0

[keyandthegate]

Oops. Closed then.