Hi,
I just want to share some quick bugfix with you (sorry if this is obvious to you or has been written somewhere else).
Suddenly, I got the following error messages on my two bridges running on Debian 11 appearing in the logs (in /var/log/tor/notices.log and in the nyx output) every second until a restart:
<timestamp> [warn] Managed proxy "/usr/bin/obfs4proxy" process terminated with status code 65280 <timestamp> [warn] Server managed proxy encountered a method error. (obfs4 listen tcp 0.0.0.0:443: bind: permission denied) <timestamp> [warn] Managed proxy '/usr/bin/obfs4proxy' was spawned successfully, but it didn't launch any pluggable transport listeners!
When restarting the corresponding bridge, in the startup process the second and the third of the above warning messages again appeared in the logs. So obfs4 was suddenly not usable any more. Port 443 is not blocked in the bridge's firewalls.
A bit research reveled that apparently, an automatic update set the systemd setting "NoNewPrivileges=no" in /lib/systemd/system/tor@default.service and tor@.service [1] back to yes, which caused the above issue. After setting it back and restarting, everything works fine now and instead of the warning messages mentioned above, the following message appears in the log again:
<timestamp> [notice] Registered server transport 'obfs4' at '[::]:443'
(Several places recommend to set the obfs4 port to 443 to get around restrictive firewalls, so I didn't want to set it to something else).
Kind regards telekobold
[1] http://xmrhfasfg5suueegrnc4gsgyi2tyclcy5oz7f5drnrodmdtob6t2ioyd.onion/relay/...
On 9/7/23 14:12, telekobold wrote:
A bit research reveled that apparently, an automatic update set the systemd setting "NoNewPrivileges=no" in /lib/systemd/system/tor@default.service and tor@.service [1] back to yes,
You probably need another entry too (grabed from [1]):
[Service] NoNewPrivileges=no AmbientCapabilities=CAP_NET_BIND_SERVICE
[1] https://github.com/toralf/tor-relays/blob/main/playbooks/roles/setup-tor/fil...
On Thu, Sep 07, 2023 at 02:12:36PM +0200, telekobold wrote:
I just want to share some quick bugfix with you (sorry if this is obvious to you or has been written somewhere else).
Suddenly, I got the following error messages on my two bridges running on Debian 11 appearing in the logs (in /var/log/tor/notices.log and in the nyx output) every second until a restart:
<timestamp> [warn] Managed proxy "/usr/bin/obfs4proxy" process terminated with status code 65280 <timestamp> [warn] Server managed proxy encountered a method error. (obfs4 listen tcp 0.0.0.0:443: bind: permission denied) <timestamp> [warn] Managed proxy '/usr/bin/obfs4proxy' was spawned successfully, but it didn't launch any pluggable transport listeners!
When restarting the corresponding bridge, in the startup process the second and the third of the above warning messages again appeared in the logs. So obfs4 was suddenly not usable any more. Port 443 is not blocked in the bridge's firewalls.
A bit research reveled that apparently, an automatic update set the systemd setting "NoNewPrivileges=no" in /lib/systemd/system/tor@default.service and tor@.service [1] back to yes, which caused the above issue. After setting it back and restarting, everything works fine now and instead of the warning messages mentioned above, the following message appears in the log again:
<timestamp> [notice] Registered server transport 'obfs4' at '[::]:443'
There's a better way to set `NoNewPrivileges=no` that will not get overwritten in an upgrade. Use a systemd override: https://bugs.torproject.org/tpo/core/tor/18356#note_2439960
``` systemctl edit tor@.service tor@default.service ```
Enter this text in both editors that appear:
``` [Service] NoNewPrivileges=no ```
Then run
``` service tor restart ```
This will create files /etc/systemd/system/tor@.service.d/override.conf and /etc/systemd/system/tor@default.service.d/override.conf that will not be overwritten in an upgrade.
tor-relays@lists.torproject.org
-
David Fifield -
telekobold -
Toralf Förster