Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#18305 closed defect (not a bug)

Tor fails to start with setgid

Reported by: commoc Owned by:
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Until Tor Browser 5.5, I used to perform the following steps after installing it:

cd tor-browser_en-US/Browser/TorBrowser/Tor/
chgrp net tor
chmod g+x tor
chmod g+s tor

I have a group called "net" and my iptables rules only allow outbound access to that group.

Starting with Tor Browser 5.5, the following error shows up after performing those steps and trying to start it:

Tor unexpectedly exited. This might be due to a bug in Tor itself, another program on your system, or faulty hardware. Until you restart Tor, the Tor Browser will not able to reach any websites. If the problem persists, please send a copy of your Tor Log to the support team.

Restarting Tor will not close your browser tabs.

Child Tickets

Change History (10)

comment:1 Changed 4 years ago by arma

Can you get us Tor's log messages when it complains and exits?

Also, just in case the above isn't useful enough, can you describe a way to reproduce that doesn't involve Tor Browser?

comment:2 Changed 4 years ago by cypherpunks

Status: newneeds_information

comment:3 Changed 4 years ago by commoc

It says "0 log messages".

To reproduce it without involving Tor Browser, I executed the tor executable directly. In an out-of-the-box installation, it starts normally, like this:

user@debian:~/tor-browser_en-US/Browser/TorBrowser/Tor$ LD_LIBRARY_PATH="/home/user/tor-browser_en-US/Browser/TorBrowser/Tor/"
user@debian:~/tor-browser_en-US/Browser/TorBrowser/Tor$ export LD_LIBRARY_PATH
user@debian:~/tor-browser_en-US/Browser/TorBrowser/Tor$ ./tor
Feb 12 10:08:57.324 [notice] Tor v0.2.7.6 (git-7a489a6389110120) running on Linux with Libevent 2.0.22-stable, OpenSSL 1.0.1q and Zlib 1.2.8.
Feb 12 10:08:57.324 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Feb 12 10:08:57.324 [notice] Configuration file "/home/ubuntu/install/etc/tor/torrc" not present, using reasonable defaults.
Feb 12 10:08:57.330 [notice] Opening Socks listener on 127.0.0.1:9050
Feb 12 10:08:57.000 [notice] Bootstrapped 0%: Starting
Feb 12 10:08:58.000 [notice] Bootstrapped 5%: Connecting to directory server

After performing my steps, I get this:

user@debian:~/tor-browser_en-US/Browser/TorBrowser/Tor$ ./tor
./tor: symbol lookup error: ./tor: undefined symbol: evutil_secure_rng_set_urandom_device_file

I use the latest stable (8.3) release of Debian.

comment:4 Changed 4 years ago by gk

I wonder if there is any relationship with the issue in #18210.

comment:5 in reply to:  3 Changed 4 years ago by cypherpunks

Replying to commoc:

After performing my steps, I get this:

user@debian:~/tor-browser_en-US/Browser/TorBrowser/Tor$ ./tor
./tor: symbol lookup error: ./tor: undefined symbol: evutil_secure_rng_set_urandom_device_file

I use the latest stable (8.3) release of Debian.

So this case has another explanation.

ld-linux.so(8):

If a library dependency does not contain a slash, then it is searched for in the following order:

[...]

  • Using the environment variable LD_LIBRARY_PATH. Except if the executable is a set-user-ID/set-group-ID binary, in which case it is ignored.

[...]

You say this used to work, so there *might* be an actual bug, but your test does not isolate it.

comment:6 Changed 4 years ago by commoc

I don't have AppArmor.

Using an out-of-the-box TorBrowser 5.0.7, I don't need to set LD_LIBRARY_PATH to start Tor directly, as seen below:

user@debian:~/tor-browser_en-US-5.0.7/Browser/TorBrowser/Tor$ ./tor
Feb 12 19:02:46.557 [notice] Tor v0.2.7.6 (git-7a489a6389110120) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
Feb 12 19:02:46.557 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Feb 12 19:02:46.557 [notice] Configuration file "/home/ubuntu/install/etc/tor/torrc" not present, using reasonable defaults.
Feb 12 19:02:46.563 [notice] Opening Socks listener on 127.0.0.1:9050
Feb 12 19:02:46.000 [notice] Bootstrapped 0%: Starting
Feb 12 19:02:47.000 [notice] Bootstrapped 5%: Connecting to directory server

It also works after performing my steps.

But with an out-of-the-box TorBrowser 5.5, I need to set LD_LIBRARY_PATH before starting Tor directly (as seen in my comment:3).

Since the Tor versions remained the same, I think the issue is caused by some change between Libevent 2.0.21 and 2.0.22. With this last version, apparently LD_LIBRARY_PATH is needed, and that's why Tor won't start with setgid.

I'm not sure whether the Tor developers can do something about this.

comment:7 in reply to:  6 Changed 4 years ago by gk

Component: TorTor Browser

Replying to commoc:

I don't have AppArmor.

Using an out-of-the-box TorBrowser 5.0.7, I don't need to set LD_LIBRARY_PATH to start Tor directly, as seen below:

user@debian:~/tor-browser_en-US-5.0.7/Browser/TorBrowser/Tor$ ./tor
Feb 12 19:02:46.557 [notice] Tor v0.2.7.6 (git-7a489a6389110120) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.1k and Zlib 1.2.8.
Feb 12 19:02:46.557 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Feb 12 19:02:46.557 [notice] Configuration file "/home/ubuntu/install/etc/tor/torrc" not present, using reasonable defaults.
Feb 12 19:02:46.563 [notice] Opening Socks listener on 127.0.0.1:9050
Feb 12 19:02:46.000 [notice] Bootstrapped 0%: Starting
Feb 12 19:02:47.000 [notice] Bootstrapped 5%: Connecting to directory server

It also works after performing my steps.

But with an out-of-the-box TorBrowser 5.5, I need to set LD_LIBRARY_PATH before starting Tor directly (as seen in my comment:3).

Since the Tor versions remained the same, I think the issue is caused by some change between Libevent 2.0.21 and 2.0.22. With this last version, apparently LD_LIBRARY_PATH is needed, and that's why Tor won't start with setgid.

Well, I guess you have libevent (and other libs tor requires) installed on your computer (e.g. because of having a system tor running, too). And what happened so far was that Tor Browser silently fell back to that one which worked fine as this is 2.0.21. But that fallback does not work anymore as we now require 2.0.22. Could you test that theory?

comment:8 Changed 4 years ago by commoc

Yes, Debian ships with libevent 2.0.21. After installing 2.0.22 to /usr/local/lib, both versions of TorBrowser work fine. So this isn't a bug at all. Thanks!

comment:9 Changed 4 years ago by commoc

Resolution: not a bug
Status: needs_informationclosed

comment:10 in reply to:  8 Changed 4 years ago by gk

Replying to commoc:

So this isn't a bug at all. Thanks!

Depends. We certainly can do better here. I think fixing #13373 would have helped you as well.

Note: See TracTickets for help on using tickets.