Opened 13 months ago

Closed 13 months ago

Last modified 13 months ago

#27894 closed project (wontfix)

Isolate TBB in a VM with X2Go

Reported by: colony.three@… Owned by: colony.three@…
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-sandboxing
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I'm trying to set up the Tor Browser so it runs on a special KVM virtual machine, yet I can run it from other machines in the LAN. To do this I have the current TBB installed in machine 'hex', and try to access it from 'droog' using X2Go.

X2Go is set to 'Single Application' mode and 'Internet Browser'. The means that the browser is running on hex, and only the visual objects are being transferred to droog. And it means that if TBB is ever compromised, the malefactor is trapped in hex.

Running Firefox this way works perfectly. Setting the Pyhoca client to Internet Browser in droog means that on hex the x2goserver searches for an installed browser using /usr/bin/x2goruncommand. So I modify the relevant blob, thus:

if [ "$cmd" == "WWWBROWSER" ]; then
        if [ -e "/usr/bin/firefox.real" ]; then
                cmd="/usr/bin/firefox.real"
#*************************************************
        elif  [ -e "/usr/local/share/tor-browser_en-US/Browser/start-tor-browser" ]; then
                cmd="/usr/local/share/tor-browser_en-US/Browser/start-tor-browser --debug"
#*************************************************
        elif  [ -e "/usr/bin/iceweasel" ]; then
                cmd="/usr/bin/iceweasel"
        elif  [ -e "/usr/bin/firefox" ]; then
                cmd="/usr/bin/firefox"
        elif  [ -e "/usr/bin/abrowser" ]; then
                cmd="/usr/bin/abrowser"
        elif  [ -e "/usr/bin/konqueror" ]; then
                cmd="/usr/bin/konqueror"
        elif  [ -e "/usr/bin/galeon" ]; then
                cmd="/usr/bin/galeon"
        elif  [ -e "/usr/bin/chromium-browser" ]; then
                cmd="/usr/bin/chromium-browser"
        fi
fi

But when I do this and try to run TBB remotely with my Pyhoca settings, I get the attached.

When I try to start TBB in a KVM console window, it's upset that it can only be run on an Xwindows system. But this is bogus as Firefox runs in X2Go with the VM in multi-user mode.

Child Tickets

Attachments (1)

snap.png (176.8 KB) - added by colony.three@… 13 months ago.

Download all attachments as: .zip

Change History (11)

Changed 13 months ago by colony.three@…

Attachment: snap.png added

comment:1 Changed 13 months ago by traumschule

did you make other changes to torrc? not sure if we can give support for it here. i tried in #tor and my advice was to configure a notice log in torrc because the image shows that the launcher comes up but tor fails with an unknown (so far) reason. maybe a configuration issue. for reference:
https://en.wikipedia.org/wiki/X2Go
https://code.x2go.org/gitweb

comment:2 Changed 13 months ago by gk

Status: newneeds_information
Version: Tor: unspecified

It would be helpful to see the output which one gets if --debug is added as above. Alternatively, you can use the --log option and should have a tor-browser.log file in your Tor Browser folder.

comment:3 Changed 13 months ago by colony.three@…

traumschule: As you'd suggested I turned on debug, then notice in torrc. I could not make it record logfiles even with the whole tor-browser_en-US branch owned by the user. TBB installed right out of the can, until I did the suggested mods to torrc.

gk: In every case I run 'start-tor-browser --debug'. And when running this in a KVM virt-manager console, it complains that this is not an Xwindow system. But regular Firefox runs through X2Go just fine.

I believe that this is a structural problem with the way TB is started. I haven't been able to understand its mechanism yet and it appears those on IRC don't either as I've asked.

For years I've run TBB in a VM, and set up reverse SSH tunnels to it from other machines. But with the latest TBB release this no longer works. Anyway, my proposed method above is more secure as all data stays on the quarantined TB VM.

Last edited 13 months ago by colony.three@… (previous) (diff)

comment:4 Changed 13 months ago by traumschule

And what does the log say?

If DISPLAY is really unset my assumption is the problem lies in the way x2goruncommand donates it to a process, maybe per PID and start-tor-browser is not allowed to start firefox. Then my suggestion is:

  • put the tb directory in the home folder
  • donate it to this user
  • create a file with

cd /path/to/tor-browser/Browser && ./start-tor-browser --debug --log

  • make it executable
  • start it with x2goruncommand

But the image you attached does not look like DISPLAY is unset but tor is failing because of something else.

Last edited 13 months ago by traumschule (previous) (diff)

comment:5 Changed 13 months ago by colony.three@…

Goddamn, it works! It even made a log for the first time.

1538198167078   addons.webextension.{73a6fe31-595d-460b-a920-fcc0f8843232}      WARN    Loading extension '{73a6fe31-595d-460b-a920-fcc0f8843232}': Reading manifest: Error processing background.persistent: Event pages are not currently supported. This will run as a persistent background page.
JavaScript error: chrome://global/content/browser-child.js, line 359: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIWebNavigation.loadURIWithOptions]
1538198167919   addons.webextension.https-everywhere-eff@eff.org        WARN    Please specify whether you want browser_style or not in your browser_action options.
1538198167919   addons.webextension.{73a6fe31-595d-460b-a920-fcc0f8843232}      WARN    Please specify whether you want browser_style or not in your browser_action options.
JavaScript error: , line 0: TypeError: NetworkError when attempting to fetch resource.

I infer that what was missing was to cd into the TB directory.

I still don't like making the whole TB directory writeable by the user, much less putting it in the user's directory. Under Posix standards software like this belongs in /usr/local/share. I think I'll put it back there and make only Data/Browser writeable by the user. Maybe even symlink it into the user's directory as .mozilla-tor or somesuch.

I'd actually like to make the whole machine image read-only except for .mozilla-tor, and impossible to remount rw, but I don't know how to do that.

Each month I blow away .mozilla-tor and start fresh except for bookmarks.

Last edited 13 months ago by colony.three@… (previous) (diff)

comment:6 Changed 13 months ago by traumschule

Keywords: tbb-sandboxing added
Owner: changed from tbb-team to colony.three@…
Status: needs_informationassigned
Summary: TBB Does Not Work With X2GoIsolate TBB in a VM with X2Go
Type: enhancementproject

Happy to hear. As it seems you intend to keep working on it i turn this ticket into a project assigned to you.

This is related to sandboxing Tor Browser.

Please note the security risks attached to X2Go using python and XML:

comment:7 Changed 13 months ago by gk

Resolution: wontfix
Status: assignedclosed

Nothing we plan to do. But this could be added to our Wiki somewhere if someone got it working.

comment:8 Changed 13 months ago by colony.three@…

Yep, the changes I suggested work too.

I can write a wiki page on this (under Unixish?) if appropriate, but it's not clear where to create a page.

comment:10 Changed 13 months ago by colony.three@…

No I don't see any means to edit the page.

Note: See TracTickets for help on using tickets.