ID: 561PHID: PHID-TASK-tw2utvdizhtry4osfbuuAuthor: PatrickStatus at Migration Time: resolvedPriority at Migration Time: Normal
For example onionshare binds its webserver on 127.0.0.1.
That cannot work because it needs to bind on the external IP.
Approaches:
a) work with upstream (onionshare etc.) to provide a switch to listen on all interfaces and automatically do so inside Whonix. Not great, not generic, takes a long time until merged and landing in Debian.
(tested to work)
Not great, not generic.
c) An iptables based solution that requires net.ipv4.conf.all.route_localnet=1.
What are the security implications of net.ipv4.conf.eth0.route_localnet=1 / route_localnet?
https://www.whonix.org/wiki/Dev/Port_Redirection
Not great, not generic.
socat TCP-LISTEN:17600,bind=10.137.6.41,fork TCP:127.0.0.1:17600
Loads of socat listeners. At some point they could even eat too much RAM if they become too many.
Could be made conditional by only loading these listeners if onionshare is installed. (Not great when installed inside template and not all Whonix-Workstations use onionshare.)
EDIT: Perhaps not that many socat listeners by using systemd socket activation.
related: port anon-ws-disable-stacked-tor to systemd socket activation T623
(EDIT)
f) write draft for local listener standard on debian-devel T635
2017-01-10 08:49:04 UTC
a) work with upstream (onionshare etc.) to provide a switch to listen on all interfaces and automatically do so inside Whonix. Not great, not generic, takes a long time until merged and landing in Debian.
Won’t happen by the time this ends up in stretch. Anyhow. Should go for it optionally so any other workarounds can later be abolished.
b) Some solution using bindp.
I decided to go for that solution since the other solutions aren’t looking feasible/great. bindp has been packaged by me, automated as wrapper and added it #uwt . Will git push it soon.
Could you please have a look bindp and comment on the C code from a security perspective? @marmarek Without comments it’s just 5 lines of make and 100 lines of C code.
GitHub - yongboy/bindp: Binding specific IP and Port fro Linux Running Application
I managed to enable Debian packaging compiler hardening flags. Output of checksec looks “quite good”, “almost all green”, besides the stack canary field. (Better than most libs in /usr/lib/**.so.)
checksec --file libindp.so
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH libindp.so
As you can see, just the stack canary is missing. Is that a huge isssue?
Compilation during package build looks as follows and shows a warning.
gcc -nostartfiles -fpic -shared bindp.c -o libindp.so -ldl -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fPIE -pie -Wl,-z,relro -Wl,-z,now
/usr/bin/ld.bfd.real: warning: cannot find entry symbol _start; defaulting to 0000000000000660
Is there anything concerning about that?
2017-01-10 08:54:59 UTC
2017-01-10 10:08:22 UTC
2017-01-10 10:14:09 UTC
2017-01-10 23:58:09 UTC
! In T561#11317, @Patrick wrote:
Won’t happen by the time this ends up in stretch. Anyhow. Should go for it optionally so any other workarounds can later be abolished.
b) Some solution using bindp.
I decided to go for that solution since the other solutions aren’t looking feasible/great. bindp has been packaged by me, automated as wrapper and added it #uwt . Will git push it soon.
Could you please have a look bindp and comment on the C code from a security perspective? @marmarek Without comments it’s just 5 lines of make and 100 lines of C code.
GitHub - yongboy/bindp: Binding specific IP and Port fro Linux Running Application
Generally it looks ok. The only issue I see is it replace address in all bind calls - even those with different address family than AF_INET. In that case, address structure may be different (and also have different size) and strange things may happen. If a particular application use only AF_INET binds, it should be ok. You can check with strace and grep.
I managed to enable Debian packaging compiler hardening flags. Output of checksec looks “quite good”, “almost all green”, besides the stack canary field. (Better than most libs in /usr/lib/**.so.)
checksec --file libindp.so
RELRO STACK CANARY NX PIE RPATH RUNPATH FILE
Full RELRO No canary found NX enabled PIE enabled No RPATH No RUNPATH libindp.so
As you can see, just the stack canary is missing. Is that a huge isssue?
Not a huge, especially as the library doesn’t deal with any dynamic sized structures on stack (maybe that’s why gcc didn’t put stack canary there, even with -fstack-protector-strong?).
Compilation during package build looks as follows and shows a warning.
gcc -nostartfiles -fpic -shared bindp.c -o libindp.so -ldl -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -fPIE -pie -Wl,-z,relro -Wl,-z,now
/usr/bin/ld.bfd.real: warning: cannot find entry symbol _start; defaulting to 0000000000000660
Is there anything concerning about that?
My guess: missing -shared option. Not a big problem.
2017-01-11 18:30:46 UTC
2017-02-13 18:36:47 UTC