Opened at 2010-03-05T08:49:13Z
Last modified at 2015-03-27T10:46:47Z
#982 new defect
grsec disallows tahoe from learning its own IP address
Reported by: | ioerror | Owned by: | ioerror |
---|---|---|---|
Priority: | minor | Milestone: | undecided |
Component: | code | Version: | 1.6.0 |
Keywords: | security grsec iputil transparency | Cc: | |
Launchpad Bug: |
Description (last modified by zooko)
I'm attempting to run Tahoe with a Linux kernel that uses grsec (2.6.32.9 with the corresponding grsec patch).
It appears that the high security mode of grsec is incompatible with Tahoe.
Grsec disallows a resource overstep when Tahoe requests 4196256 for RLIMIT_CORE. To get Tahoe started, you'll need to add the following to the init.d script:
ulimit -c 4196256
Futhermore, it appears that Tahoe has an unhandled error when it cannont open /proc/net/dev (it's not there for normal users in high security mode). This causes Tahoe to call os.abort() and Tahoe fails to start.
Change History (14)
comment:1 Changed at 2010-03-05T08:54:46Z by ioerror
comment:2 follow-up: ↓ 13 Changed at 2010-03-06T03:25:33Z by ioerror
It seems that Tahoe will call ifconfig and it won't work in "high" security mode. Tahoe calls ifconfig to determine it's network location. grsec doesn't allow /proc/net/dev for non-root users. ifconfig complains to stderr message (as listed above), Tahoe sees this message and getmyipaddr() returns None. In addition if tub.location is not set then the node will have no location, concludes it will be unable to start up, and bails with aus.abort().
We need the following things:
- getmyipaddr() should return None if ifconfig fails and not complain so much
- if getmyipaddr() fails but tub.location is set, we should proceed normally
- if getmyipaddr() fails and tub.location is unset, we should tell the user to please set tub.location and perhaps fail or maybe start up (client may still work)
comment:3 Changed at 2010-03-06T03:25:43Z by ioerror
- Owner changed from somebody to warner
comment:4 Changed at 2011-06-17T04:49:24Z by zooko
- Summary changed from Tahoe and grsec to grsec disallows tahoe from learning its own IP address
I opened #1421 (increase_rlimits() tries to set RLIMIT_CORE high, which grsec disallows) to track the part about RLIMIT_CORE and am renaming this one to be more specifically about getmyipaddr() and /proc/net/dev.
comment:5 Changed at 2011-06-17T05:01:56Z by zooko
So, is it the intent of someone who is running tahoe under grsec's "high" security mode that tahoe shouldn't be allowed to learn its own IP address? Or is it the intent that this would be okay for tahoe to learn its own IP address, but not okay to open /proc/net/dev for reading?
If the former, then I agree that with ioerror's comment:2 that tahoe should handle failure of getmyipaddr() (which may require manual configuration of the IP address on the part of the user, or may involve tahoe running without knowing its IP address, which it can do with potentially reduced functonality). If the latter, then we should figure out a way to learn our IP address which doesn't require such high privileges that grsec denies it.
The way tahoe is currently trying to learn its IP address is by running /sbin/ifconfig without any elevated privileges (soure code). What if grsecurity allowed /sbin/ifconfig to have read-only access to /proc/net/dev when it (/sbin/ifconfig) doesn't have any elevated privileges? Would that fit the intent of grsecurity users?
This is more a question for grsecurity folks than Tahoe-LAFS folks, so I'll post a note to their mailing list to ask.
comment:6 Changed at 2011-06-17T05:08:14Z by zooko
ndurner pointed out on IRC that http://icanhazip.com tells you the IP address that your HTTP connection is coming from. :-)
comment:7 follow-up: ↓ 9 Changed at 2011-06-17T05:24:25Z by ioerror
I think it's fine to learn your own IP address but not by attempting to read from /proc/ or using any tools on the system that may read from /proc or other such subsystems such as /sys.
An idea: Allow Tahoe to learn it's own likely IP address by talking to another peer or checking for a configuration option. Thus a user can manually set the tub.location or Tahoe can learn it from the introducer;
In Tor, we allow any OR to talk to another OR and ask for it's own IP address. This peer IP is often correct. The OR then attempts to connect back to test if it has incoming ports filtered or open. That may also be quite useful for Tahoe.
comment:8 Changed at 2011-06-17T12:15:17Z by zooko
Thanks, ioerror!
Also last night I posted to the grsec mailing list asking about this: http://grsecurity.net/pipermail/grsecurity/2011-June/001083.html
So, why doesn't grsec provide a way for apps to learn what IP address is configured on certain interfaces without thereby giving that app any broader power that it could abuse?
comment:9 in reply to: ↑ 7 Changed at 2011-06-17T12:16:23Z by zooko
Replying to ioerror:
An idea: Allow Tahoe to learn it's own likely IP address by talking to another peer or checking for a configuration option. Thus a user can manually set the tub.location or Tahoe can learn it from the introducer;
In Tor, we allow any OR to talk to another OR and ask for it's own IP address. This peer IP is often correct. The OR then attempts to connect back to test if it has incoming ports filtered or open. That may also be quite useful for Tahoe.
We did something similar in Mnet. It worked well.
comment:11 Changed at 2013-05-27T17:37:49Z by zooko
- Keywords iputil transparency added
comment:12 Changed at 2013-06-25T18:15:57Z by Daira Hopwood <david-sarah@…>
comment:13 in reply to: ↑ 2 Changed at 2013-06-27T01:55:22Z by daira
- Owner changed from warner to ioerror
Replying to ioerror:
It seems that Tahoe will call ifconfig and it won't work in "high" security mode. Tahoe calls ifconfig to determine it's network location. grsec doesn't allow /proc/net/dev for non-root users. ifconfig complains to stderr message (as listed above), Tahoe sees this message and getmyipaddr() returns None. In addition if tub.location is not set then the node will have no location, concludes it will be unable to start up, and bails with aus.abort().
This might be fixed on trunk; it depends on whether 'ip addr' has the same problem as 'ifconfig'. I don't have grsec enabled in order to test this (and don't want to enable it because I don't have time to fix anything it breaks).
comment:14 Changed at 2015-03-27T10:44:47Z by daira
Note that as a side-effect of the fix to #754, setting tub.location without including "AUTO" will skip the local IP auto-detection code entirely, thus allowing a workaround for this problem if the other changes on trunk didn't fix it.