Extract VNC changes from Tor Browser functional test branch

[rmol]

Status

Ready for review

Description of Changes

These changes were cherry-picked from the tbb-0.12.0 branch. The VNC server used in the functional test container is switched to tightvncserver, and scripts are changed to ensure that it can be reached on both Mac and Linux developer machines.

Fixes #4287.

Testing

Run the functional tests with securedrop/bin/dev-shell bin/run-test -v tests/functional. In another local shell, run make -C securedrop func-vnc to verify that you can connect to the test container with VNC and watch the functional tests run.

Checklist

If you made non-trivial code changes:

• I have written a test plan and validated it for this PR

[codecov-io]

Codecov Report

Merging #4288 into develop will decrease coverage by 0.07%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           develop    #4288      +/-   ##
===========================================
- Coverage     84.7%   84.63%   -0.08%     
===========================================
  Files           43       43              
  Lines         2785     2785              
  Branches       304      304              
===========================================
- Hits          2359     2357       -2     
- Misses         358      359       +1     
- Partials        68       69       +1

Impacted Files	Coverage Δ
securedrop/securedrop/crypto_util.py	94.73% <0%> (-1.76%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b6aacf9...7960dbc. Read the comment docs.

[heartsucker]

Works on Debian 9. Letting others confirm on other OSes.

[kushaldas]

I would wait before merging this PR. Nothing looks wrong, but, while testing, I got the following buffer-overflow error.

*** buffer overflow detected ***: vncpasswd terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f82480fa7e5]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f824819c15c]
/lib/x86_64-linux-gnu/libc.so.6(+0x117160)[0x7f824819a160]
vncpasswd[0x40112d]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f82480a3830]
vncpasswd[0x401379]
======= Memory map: ========
00400000-00404000 r-xp 00000000 fd:01 28520571                           /usr/bin/tightvncpasswd
00603000-00604000 r--p 00003000 fd:01 28520571                           /usr/bin/tightvncpasswd
00604000-00605000 rw-p 00004000 fd:01 28520571                           /usr/bin/tightvncpasswd
00baa000-00bcc000 rw-p 00000000 00:00 0                                  [heap]
7f8247e6d000-7f8247e83000 r-xp 00000000 fd:01 28341163                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8247e83000-7f8248082000 ---p 00016000 fd:01 28341163                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8248082000-7f8248083000 rw-p 00015000 fd:01 28341163                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f8248083000-7f8248243000 r-xp 00000000 fd:01 28767136                   /lib/x86_64-linux-gnu/libc-2.23.so
7f8248243000-7f8248443000 ---p 001c0000 fd:01 28767136                   /lib/x86_64-linux-gnu/libc-2.23.so
7f8248443000-7f8248447000 r--p 001c0000 fd:01 28767136                   /lib/x86_64-linux-gnu/libc-2.23.so
7f8248447000-7f8248449000 rw-p 001c4000 fd:01 28767136                   /lib/x86_64-linux-gnu/libc-2.23.so
7f8248449000-7f824844d000 rw-p 00000000 00:00 0 
7f824844d000-7f8248473000 r-xp 00000000 fd:01 28767125                   /lib/x86_64-linux-gnu/ld-2.23.so
7f8248665000-7f8248668000 rw-p 00000000 00:00 0 
7f8248671000-7f8248672000 rw-p 00000000 00:00 0 
7f8248672000-7f8248673000 r--p 00025000 fd:01 28767125                   /lib/x86_64-linux-gnu/ld-2.23.so
7f8248673000-7f8248674000 rw-p 00026000 fd:01 28767125                   /lib/x86_64-linux-gnu/ld-2.23.so
7f8248674000-7f8248675000 rw-p 00000000 00:00 0 
7fffa8f69000-7fffa8f8a000 rw-p 00000000 00:00 0                          [stack]
7fffa8fa6000-7fffa8fa9000 r--p 00000000 00:00 0                          [vvar]
7fffa8fa9000-7fffa8fab000 r-xp 00000000 00:00 0                          [vdso]
./bin/dev-deps: line 13:     7 Done                    echo "freedom"
         8 Aborted                 (core dumped) | vncpasswd -f > /tmp/vncpasswd
Retrying write of VNC credentials
      write static/css/journalist.css
      write static/css/journalist.css.map
      write static/css/source.css
      write static/css/source.css.map

[rmol]

@kushaldas Yes, vncpasswd can seg fault. I added a retry loop around it in securedrop/bin/dev-deps, but maybe we can take another look at the need for the passwd -- @zenmonkeykstop, what prompted that? Or, maybe there's another VNC server option -- again, I don't know the history for the switch from x11vnc.

[kushaldas]

Only segfault is different, and a buffer overflow is scary :)

[rmol]

In this case, I don't think it's that scary, as vncpasswd is running as an unprivileged user, invoked only by the run-test script. But if we want to eliminate the problem, we could:

• Revert to x11vnc (Maybe @msheiny could weigh in on the motivation for the switch?).
• Omit the authentication (though apparently it was necessary for Mac users, @zenmonkeykstop?).
• Create the password file another way. There's at least one Python implementation of the obfuscation used, which we could incorporate.

Open to suggestions. I'd probably pick the first option.

[rmol]

I've reverted to x11vnc from tightvncserver. The reasons for the switch have been lost to time, the tests work and are visible with x11vnc, and it does support the passwords required on Macs, so I'd rather switch back than have to maintain workarounds for tightvncserver bugs.

Works for me, @kushaldas and @heartsucker, please check again when you have time, and I'll find a Mac user to test there as well.

@rmol pushed updated changes as requested

[zenmonkeykstop]

Failing for me on Qubes in a debian-9-based standaloneVM - docker output includes the following:

(securedrop) user@sd-dev:~/securedrop/securedrop$ ./bin/dev-shell  bin/run-test -v tests/functional
Run with DOCKER_BUILD_VERBOSE=true for more information
Docker image build in progress  done !
stored passwd in file: /tmp/vncpasswd
03/04/2019 14:27:00 passing arg to libvncserver: -rfbauth
03/04/2019 14:27:00 passing arg to libvncserver: /tmp/vncpasswd
03/04/2019 14:27:00 passing arg to libvncserver: -rfbport
03/04/2019 14:27:00 passing arg to libvncserver: 5901
03/04/2019 14:27:00 x11vnc version: 0.9.13 lastmod: 2011-08-10  pid: 14
03/04/2019 14:27:00 XOpenDisplay(":1") failed.
03/04/2019 14:27:00 Trying again with XAUTHLOCALHOSTNAME=localhost ...

03/04/2019 14:27:00 ***************************************
03/04/2019 14:27:00 *** XOpenDisplay failed (:1)

*** x11vnc was unable to open the X DISPLAY: ":1", it cannot continue.
*** There may be "Xlib:" error messages above with details about the failure.

Some tips and guidelines:

** An X server (the one you wish to view) must be running before x11vnc is
   started: x11vnc does not start the X server.  (however, see the -create
   option if that is what you really want).

** You must use -display <disp>, -OR- set and export your $DISPLAY
   environment variable to refer to the display of the desired X server.
 - Usually the display is simply ":0" (in fact x11vnc uses this if you forget
   to specify it), but in some multi-user situations it could be ":1", ":2",
   or even ":137".  Ask your administrator or a guru if you are having
   difficulty determining what your X DISPLAY is.

** Next, you need to have sufficient permissions (Xauthority) 
   to connect to the X DISPLAY.   Here are some Tips:

 - Often, you just need to run x11vnc as the user logged into the X session.
   So make sure to be that user when you type x11vnc.
 - Being root is usually not enough because the incorrect MIT-MAGIC-COOKIE
   file may be accessed.  The cookie file contains the secret key that
   allows x11vnc to connect to the desired X DISPLAY.
 - You can explicitly indicate which MIT-MAGIC-COOKIE file should be used
   by the -auth option, e.g.:
       x11vnc -auth /home/someuser/.Xauthority -display :0
       x11vnc -auth /tmp/.gdmzndVlR -display :0
   you must have read permission for the auth file.
   See also '-auth guess' and '-findauth' discussed below.

** If NO ONE is logged into an X session yet, but there is a greeter login
   program like "gdm", "kdm", "xdm", or "dtlogin" running, you will need
   to find and use the raw display manager MIT-MAGIC-COOKIE file.
   Some examples for various display managers:

     gdm:     -auth /var/gdm/:0.Xauth
              -auth /var/lib/gdm/:0.Xauth
     kdm:     -auth /var/lib/kdm/A:0-crWk72
              -auth /var/run/xauth/A:0-crWk72
     xdm:     -auth /var/lib/xdm/authdir/authfiles/A:0-XQvaJk
     dtlogin: -auth /var/dt/A:0-UgaaXa

   Sometimes the command "ps wwwwaux | grep auth" can reveal the file location.

   Starting with x11vnc 0.9.9 you can have it try to guess by using:

              -auth guess

   (see also the x11vnc -findauth option.)

   Only root will have read permission for the file, and so x11vnc must be run
   as root (or copy it).  The random characters in the filenames will of course
   change and the directory the cookie file resides in is system dependent.

See also: http://www.karlrunge.com/x11vnc/faq.html
...

[rmol]

@zenmonkeykstop Yeah, I started running into this in the big all-tbb merge too. I think the problem is that Xvfb sometimes hasn't fully started by the time we start x11vnc. Reordering things in run-test seems to have fixed it, but I'm planning on doing something more reliable.

[zenmonkeykstop]

@rmol fair enough, like maybe a test for xvfb's availability with a couple of sleep/retries?

FWIW, same issue under OS X

[zenmonkeykstop]

Added a sleep 30 between the xvfb and x11vnc startups, which cleared the above error. So the x11vnc bit itself is fine, it just needs the aforementioned reliability fix.

[rmol]

I've added a wait for Xvfb to be fully available.

[zenmonkeykstop]

Confirmed that VNC working with no issues on both Qubes(debian-9) and OS X with this fix. LGTM!

[eloquence]

Real lint failure for a change:

In ./securedrop/bin/dev-deps line 9:
    for i in {1..10}
    ^-- SC2034: i appears unused. Verify it or export it.

[zenmonkeykstop]

VNC still working fine on Qubes(debian-9) and OS X with the shellcheck fix above. 👍 from me.

[emkll]

Thanks @rmol this looks great. Went through the test plan and all 21 tests have passed under Debian 9. Some tests fail under a grsec kernel, due to missing PaX flags. I suspect those were there before, and I don't think we should block merge on that.

[emkll]

this was a very helpful message :)

[emkll]

5901 is only exposed only to localhost 👍

[emkll]

👍

[emkll]

👍

[emkll]

Given VNC is exposed only to localhost and it's a dev container/test data, I think this is fine. We should follow up with a better way (maybe automatically generate a password?) in the future.