Opened 9 years ago

Closed 8 years ago

#2901 closed defect (fixed)

Firefox 4 Tor Browser Bundle: execstack required by libcrypto (Fedora / SELinux)

Reported by: tagnaq Owned by: erinn
Priority: Medium Milestone: TorBrowserBundle 2.2.x-stable
Component: Applications/Tor bundles/installation Version:
Severity: Keywords:
Cc: tagnaq@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I tested the recent TBB [1] on Fedora 14 (64Bit).

SELinux on Fedora is per default in enforcing mode and the SELinux variable allow_execstack is per default off. (execstack is forbidden per default)

getsebool allow_execstack
allow_execstack --> off

when starting the TBB, SELinux prevents it from starting:

In the audit.log file one can see:
[...] avc: denied { execstack } [...] comm="vidalia [...]

caused by:
find tor-browser_en-US/ -exec execstack -q {} \; -print 2> /dev/null |grep X
X tor-browser_en-US/Lib/libcrypto.so
X tor-browser_en-US/Lib/libcrypto.so.1.0.0

It _seams_ that libcrypto runs fine with execstack disabled,
after clearing execstack the TBB starts fine.
execstack -c libcrypto.so
execstack -c libcrypto.so.1.0.0

If you would ship libcrypto without execstack TBB would also run on Fedora out-of-the-box, but it is important to investigate the side effects of removing execstack on libcrypto in detail.

If libcrytpo absolutely requires execstack one could allow execstack by modifying allow_execstack but that is in general not a nice solution (weakens the entire system security) and requires root privileges.

[1] https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-x86_64-2.2.23-1-alpha-en-US.tar.gz

BTW: CentOS is not affected by this issue because execstack is per default allowed there (allow_execstack --> on).

Child Tickets

Change History (6)

comment:1 Changed 9 years ago by erinn

I haven't tracked down the exact issue with this, but when building for older Linuxes (like CentOS) against an old glib/glibc, I can't actually get Qt to build against an OpenSSL that's built with -Wl,--noexecstack. I've considered updating the system I build on from Debian Lenny to Squeeze (where it does build). The options seem to be: find out why Qt won't build against that OpenSSL, or drop support for old Linuxes. The latter is the easy option.

comment:2 Changed 9 years ago by tagnaq

Cc: tagnaq@… added

comment:3 Changed 8 years ago by mikeperry

Resolution: fixed
Status: newclosed

This has been fixed by removing the Vidalia dependency on openssl.

comment:4 Changed 8 years ago by cypherpunks

Milestone: TorBrowserBundle 2.2.x-stable
Resolution: fixed
Status: closedreopened

comment:5 Changed 8 years ago by Sebastian

Status: reopenedneeds_information

still present today?

comment:6 Changed 8 years ago by tagnaq

Resolution: fixed
Status: needs_informationclosed

Works fine for me without any manual changes.

tested bundle:
tor-browser-gnu-linux-x86_64-2.2.35-9-dev-en-US.tar.gz

Note: See TracTickets for help on using tickets.