Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[prod] sd-whonix torrc created with invalid config. #491

Closed
zenmonkeykstop opened this issue Mar 10, 2020 · 10 comments
Closed

[prod] sd-whonix torrc created with invalid config. #491

zenmonkeykstop opened this issue Mar 10, 2020 · 10 comments

Comments

@zenmonkeykstop
Copy link
Contributor

zenmonkeykstop commented Mar 10, 2020

On a fresh 4.0.3 install, with an RPM built with the changes in #488, /etc/tor/torrc is created with two includes:

%include /etc/torrc.d/
%include /etc/torrc.d/95_whonix.conf

This results in the JI HidServAuth being included twice, which breaks Tor's config and prevents it from starting.

@zenmonkeykstop zenmonkeykstop changed the title [prod] sd-whonix torrc created with inconsistent config. [prod] sd-whonix torrc created with invalid config. Mar 10, 2020
@eloquence eloquence added the bug label Mar 10, 2020
@emkll
Copy link
Contributor

emkll commented Mar 10, 2020

I can reproduce this issue on a clean install. After fully updating whonix-gw-15, i see those two lines in the torrc. However, after booting whonix-gw-15 , shutting it down, and then rebooting sd-whonix, the issue is resolved.

@zenmonkeykstop
Copy link
Contributor Author

Confirmed.

@conorsch
Copy link
Contributor

There's upstream discussion of breakage in Onion Service support for Whonix on their forums. It appears there's already a fix underway, judging by Kicksecure/anon-connection-wizard@2e19758

Initially, I struggled to reproduce the failure described in the OP. During a quick pairing session with @emkll, we determined that v2 Onion Services show the breakage, whereas v3 do not. @zenmonkeykstop given your use of "HidServAuth" it looks like you're using v2, as well, but please do confirm for everyone's benefit.

Relatedly, @adrelanos was certainly correct that we'd do well to test upcoming Whonix changes in order to coordinate bugfixes (#451). 🙂

@zenmonkeykstop
Copy link
Contributor Author

Confirmed that I was in v2 mode. That does look like the same error, so once it's fixed if we're sure to update whonix-gw-15 before the install we should be golden.

@emkll
Copy link
Contributor

emkll commented Mar 10, 2020

In order to reliably reproduce, running sudo anon-connection-wizard in sd-whonix should revert /etc/tor/torrc to the state observed by @zenmonkeykstop , where v2 hidservauth will be defined twice due to two include directives.

One workaround I've tried using is /rw/config/rc.local to munge the torrc configuration:
49a64ab

However, whenever anon-connection-wizard is run, it will restore the /etc/tor/torrc to the default value, and a reboot (or running of rc.local) is required. Perhaps we can set the script as a prerequisite to /usr/lib/systemd/system/tor.service but this might be unecessarily complex for a workaround, and we could just use tor v3 onion services in the interim

@conorsch
Copy link
Contributor

One workaround I've tried using is /rw/config/rc.local to munge the torrc configuration:

That seems to be our best bet as an immediate quickfix to unblock release QA. Commit's already appended to #489, so we can handle review over there.

It's also worth noting that since upstream's already aware of the issue, we can evaluate version 1:4.2-1 of the anon-connection-wizard package, which is already available via buster-proposed-updates in the Whonix apt repo. Near-term priorities aside, we should strongly consider configuring the proposed-updates channel for the "dev" scenario for the Workstation, so we can report problems like this before they are promoted to final release.

One major takeaway is that we're not testing nearly enough of the tor service config. Added some config tests specific to sd-whonix to https://github.com/freedomofpress/securedrop-workstation/tree/491-config-tests-for-whonix ; those can be cherry-pick into #489, will mention over there too.

@adrelanos
Copy link
Contributor

These fixes were migrated to Whonix stable repository just now.

And in the recently released Qubes-Whonix testers-only release which will hopefully become a stable point release this is fixed as well.

https://forums.whonix.org/t/qubes-whonix-15-templatevms-4-0-1-202003070901-testers-wanted/9093

Hope that helps.


(Just backporting anon-connection-wizard might not have fixed this issue since also package anon-gw-anonymizer-config was modified.)

@kushaldas
Copy link
Contributor

Today I tested against qubes-template-whonix-ws-15-4.0.1-202003070901 and qubes-template-whonix-gw-15-4.0.1-202003070901, things are working on the upcoming rpm package from the templates-community-testing repo.

@conorsch
Copy link
Contributor

Confirming resolved in the stable repos. Installed the prod environment on test hardware, specifically with a v2 Onion URL configured. Tor bootstrapped just fine, and was able to fetch submissions in the client.

Many thanks for the very quick resolution on this one, @adrelanos! We'll discuss using the testers-only Whonix repos as part of our dev env, so we're more likely to catch these types of problems early on.

@adrelanos
Copy link
Contributor

Great!

Btw this is also fixed in this stable point release:

https://forums.whonix.org/t/qubes-whonix-15-templatevms-4-0-1-202003070901-point-release/9159

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants