[graphical gui] Whonix Setup Wizard / Anon Connection Wizard - Technical Discussion

This fixes it.

self.tor_status_code = str(self.tor_status_result[1])
1 Like

Fixed.

1 Like

Thank you so much for catching it and fixing it!

I also added some comments to clearly document the return type:

1 Like

Would you please share your approach to intentionally make Tor does not work so that we can test those unusual case?

Thank you so much, Patrick!

1 Like

We actually advertise in several place that user configurations should go to 50_user.torrc. Therefore, do you think it will be a good idea to ship an empty 50_user.torrc file? Or maybe even have some comments telling user “Yes, this is the file you should use for your configuration.”

1 Like

I agree that we should have the separation.

My only concern is a user who ask for some torrc settings online, and someone provides a solution with “DisableNetwork 0” with it.Then, the users happily copy it into 50_user.torrc. From then on, anon-connection-wizard will not control the disable or enable of Tor any more since anon-connection-wizard writes to 40_.torrc which has lower priority than 50_.torrc.

Hi Patrick!

Do you mean anon-connection_wizard should parse all the torrc files like what the real Tor does and then give users a warning saying “DisableNetwork 0 is detected in torrc files which have higher priority than anon-connection-wizard, thus, anon-connection-wizard cannot decide the enable or disable of Tor”? Do I understand it correctly?

Just write garbage to /etc/tor/torrc or better any torrc.d file.

We mention it, yes.

Makes a lot sense. I however wonder how to update any comment in future should that be required. Creation of the file if none exists should be alright with comments only.

That’s a very valid concern. In these cases, anon-connection-wizard should detect the situation and report it. We might even break the separation, with an additional gui confirmation question?

The problem is, as far as I know, there is no comparable situation. Or do you know any applications where there are external configuration file generators and .d folders?

Yes.

The real question is how far can tools go? Should they edit any user config file if so requested no matter what?

Perhaps I am off the track with “don’t edit some config files”?

Any other application that does this or anyone external who could advise?

From a usability point of view: the tool should understand all configs fully and do what the user demands. Unless there is some really special file (starting from certain numbers perhaps?) which really should be ignored by user request?

Patrick Schleizer:

That’s a very valid concern. In these cases, anon-connection-wizard should detect the situation and report it. We might even break the separation, with an additional gui confirmation question?

When user press the connect or disable button in anon-connection-wizard,
I think anon-connection-wizard has already got the users’ consent that
they REALLY want to enable or disable Tor. Therefore, I guess we may
break the separation without an additional GUI confirmation?

The problem is, as far as I know, there is no comparable situation. Or do you know any applications where there are external configuration file generators and .d folders?

I do not know any configuration files like that yet. I would like to ask
how Tails is going to use torrc.d.

Yes.

This will be a good solution, but reimplementing include line paring in
anon-connection-wizard may be too much work for anon-connection-wizard?
(not too much work for developer as long as it is something worth
implementing.)

From a usability point of view: the tool should understand all configs fully and do what the user demands. Unless there is some really special file (starting from certain numbers perhaps?) which really should be ignored by user request?

Yes! This is exactly what I am thinking.

anon-connection-wizard will edit 40_anon_connection_wizard.torrc freely
and also 50_user.torrc just for the “DisableNetwork 0” line. This is
fair and reasonable enough considering it is the user who press that
enable and disable button. anon-connection-wizard is just taking care of
what users wants.

Or anon-connection-wizard can just use “DisableNetwork 0” in
40_anon_connection_wizard.torrc and it is users’ responsibility not to
include “DisableNetwork 0” in any other torrc files. But this may be too
advanced for users.

What do you think?

Any other application that does this or anyone external who could advise?

Do you have any suggestion? I can definitely ask the question. :slight_smile:

1 Like

Patrick Schleizer:

Just write garbage to /etc/tor/torrc or better any torrc.d file.

Thank you for your suggestion!

We mention it, yes.

Makes a lot sense. I however wonder how to update any comment in future should that be required. Creation of the file if none exists should be alright with comments only.

Great! For updating the comments in the file, can we update it with the
upgrade of its package? I can commit a
/usr/local/etc/torrc.d/50_user.torrc file. Is there anything else I
can do?

1 Like

iry:

Patrick Schleizer:

That’s a very valid concern. In these cases, anon-connection-wizard should detect the situation and report it. We might even break the separation, with an additional gui confirmation question?

When user press the connect or disable button in anon-connection-wizard,
I think anon-connection-wizard has already got the users’ consent that
they REALLY want to enable or disable Tor. Therefore, I guess we may
break the separation without an additional GUI confirmation?

Yes.

The problem is, as far as I know, there is no comparable situation. Or do you know any applications where there are external configuration file generators and .d folders?

I do not know any configuration files like that yet. I would like to ask
how Tails is going to use torrc.d.

Ok.

Yes.

This will be a good solution, but reimplementing include line paring in
anon-connection-wizard may be too much work for anon-connection-wizard?
(not too much work for developer as long as it is something worth
implementing.)

%include parsing is cool but also low priority since very advanced users
would do that only.

Also difficult and low priority: Qubes vs persistence. Standalone VM vs
TemplateBasedVM vs bind-dirs. Like most users would have /etc/tor/torrc
persistent in sys-whonix while /etc/torrc.d is non-persistent while
/usr/local/etc/torrc.d is persistent. Therefore changing DisableNetwork
0/1 in /etc/torrc.d would also be confusing. Not sure
anon-connection-wizard should deal Qubes persistence anyhow.

From a usability point of view: the tool should understand all configs fully and do what the user demands. Unless there is some really special file (starting from certain numbers perhaps?) which really should be ignored by user request?

Yes! This is exactly what I am thinking.

anon-connection-wizard will edit 40_anon_connection_wizard.torrc freely
and also 50_user.torrc just for the “DisableNetwork 0” line. This is
fair and reasonable enough considering it is the user who press that
enable and disable button. anon-connection-wizard is just taking care of
what users wants.

40_anon_connection_wizard.torrc and 50_user.torrc only seems confusing
and inconsistent. Do you think you could handle DisableNetwork 0/1 in
all Tor config files /etc/tor/torrc /etc/torrc.d /usr/local/etc/torrc.d?
Do you think this is doable/realistic for Whonix 14?

Perhaps except for files containing readonly? Skipped for now. (And
later during anon-connection-development development reported only?)

Or anon-connection-wizard can just use “DisableNetwork 0” in
40_anon_connection_wizard.torrc and it is users’ responsibility not to
include “DisableNetwork 0” in any other torrc files. But this may be too
advanced for users.

This goes back to your argument “what if the user copied/pasted from the
internet”. But also this would be good enough for Whonix 14.

Any other application that does this or anyone external who could advise?

Do you have any suggestion? I can definitely ask the question. :slight_smile:

No suggestion. Just wondering.

1 Like

iry:

Patrick Schleizer:

Just write garbage to /etc/tor/torrc or better any torrc.d file.

Thank you for your suggestion!

We mention it, yes.

Makes a lot sense. I however wonder how to update any comment in future should that be required. Creation of the file if none exists should be alright with comments only.

Great! For updating the comments in the file, can we update it with the
upgrade of its package? I can commit a
/usr/local/etc/torrc.d/50_user.torrc file. Is there anything else I
can do?

Debian packages are forbidden to write to /usr/local.

Another issue with that would be: Once users edit that file we get an
dpkg interactive conflict resolution dialog.

( Configuration Files - Kicksecure )

That’s why I wonder how to update any comment in future should that be required. Something hard to solve. Also the reason why we want .d in
the first place.

1 Like

Hi Patrick!

I did some testing and I think I have some findings now.

First, the default value of DisableNetwork is 0.

As per: How can we help? | Tor Project | Support

DisableNetwork 0|1

When this option is set, we don’t listen for or accept any connections other than controller connections, and we close (and don’t reattempt) any outbound connections. Controllers sometimes use this option to avoid using the network until Tor is fully configured. (Default: 0)

This means there is no different between DisableNetwork 0 and
#DisableNetwork 0.

Second, no matter the value of DisableNetwork is 0/1, when we want to
disable Tor, we can always disable it successfully without any complain.

Third, the only problem is, when DisableNetwork 1 is the final value
which will be used by Tor, we will fail to start Tor (it totally makes
sense) and cause a crash on anon-connection-wizard.

If all my findings above are correct, I propose to at least partly
forget about the DisableNetwork in Whonix, including but not limited
to anon-connection-wizard and whonixsetup.

Since DisableNetwork 1 is not a value that is commonly found on the
internet, we may assume whoever uses this line has full understanding on
what it means. Thus, anon-connection-wizard does not take care of
prefixing # to all the DisableNetwork 1 lines.

Although DisableNetwork 0 is default, anon-connection-wizard may still
add DisableNetwork 0 to 40_anon_connection_wizard.torrc when Tor
will be enabled. Why? Because it will let Tor work even there is a
DisableNetwork 1 in files which have lower priority than
40_anon_connection_wizard.torrc.

How do you like this proposal, Patrick?

Patrick Schleizer:

Debian packages are forbidden to write to /usr/local.

Another issue with that would be: Once users edit that file we get an
dpkg interactive conflict resolution dialog.

( Configuration Files - Kicksecure )

That’s why I wonder how to update any comment in future should that be required. Something hard to solve. Also the reason why we want .d in
the first place.

I see. Then how about not shipping the 50_user.torrc?

And for better usability, we may use this comment in all the torrc:

## Do not edit this file!
## Please create and then add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.torrc

iry:

I did some testing and I think I have some findings now.

To get a clearer picture, may I suggest to grep all of Whonix source code.

grep --exclude=README.md --exclude=GPLv2 --exclude=GPLv3 --exclude=COPYING --exclude=changelog.upstream-old1 --exclude-dir=mnt --exclude-dir=qubes-src/linux-template-builder/mnt --exclude=changelog.upstream --exclude-dir=.git --exclude-dir=chroot-debian --exclude-dir=chroot-jessie -r -i DisableNetwork

(The exclusion part grep --exclude=README.md --exclude=GPLv2 --exclude=GPLv3 --exclude=COPYING --exclude=changelog.upstream-old1 --exclude-dir=mnt --exclude-dir=qubes-src/linux-template-builder/mnt --exclude=changelog.upstream --exclude-dir=.git --exclude-dir=chroot-debian --exclude-dir=chroot-jessie is better as a
wrapper.)

Basically grep -r -i DisableNetwork while ignoring all the irrelevant files.

First, the default value of DisableNetwork is 0.

As per: How can we help? | Tor Project | Support

It’s true but not in case of Whonix.

DisableNetwork 0|1

When this option is set, we don’t listen for or accept any connections other than controller connections, and we close (and don’t reattempt) any outbound connections. Controllers sometimes use this option to avoid using the network until Tor is fully configured. (Default: 0)

This means there is no different between DisableNetwork 0 and
#DisableNetwork 0.

Whonix default DisableNetwork 0 in
/usr/share/tor/tor-service-defaults-torrc makes the difference.

anon-gw-anonymizer-config/usr/share/tor/tor-service-defaults-torrc.anondist at e16ff107a49d75c776334164cb81ca22cc450c01 ¡ Whonix/anon-gw-anonymizer-config ¡ GitHub

Second, no matter the value of DisableNetwork is 0/1, when we want to
disable Tor, we can always disable it successfully without any complain.

Third, the only problem is, when DisableNetwork 1 is the final value
which will be used by Tor, we will fail to start Tor (it totally makes
sense) and cause a crash on anon-connection-wizard.

DisableNetwork 1 doesn’t crash Tor. By the description that you posted…

When this option is set, we don’t listen for or accept any
connections other than controller connections, and we close (and don’t
reattempt) any outbound connections. Controllers sometimes use this
option to avoid using the network until Tor is fully configured.
(Default: 0)

It doesn’t crash either. And if it did (which it doesn’t), then it would
be a bug.

Perhaps double use of DisableNetwork 1 in
/usr/share/tor/tor-service-defaults-torrc as well as in a torrc.d file
causes a crash?

1 Like

iry:

Patrick Schleizer:

Debian packages are forbidden to write to /usr/local.

Another issue with that would be: Once users edit that file we get an
dpkg interactive conflict resolution dialog.

( Configuration Files - Kicksecure )

That’s why I wonder how to update any comment in future should that be required. Something hard to solve. Also the reason why we want .d in
the first place.

I see. Then how about not shipping the 50_user.torrc?

And for better usability, we may use this comment in all the torrc:

## Do not edit this file!
## Please create and then add modifications to the following file instead:
## /usr/local/etc/torrc.d/50_user.torrc

Ok.

1 Like

Thank you so much for your guidance, Patrick!

I have created $HOME/bin/mygrep:

#!/bin/bash

grep --exclude=README.md --exclude=GPLv2 --exclude=GPLv3 --exclude=COPYING --exclude=changelog.upstream-old1 --exclude-dir=mnt --exclude-dir=qubes-src/linux-template-builder/mnt --exclude=changelog.upstream --exclude-dir=.git --exclude-dir=chroot-debian --exclude-dir=chroot-jessie "${@:2}"

I see. Whonix is adding DisableNetwork 1 to /usr/share/tor/tor-service-defaults-torrc probably because Whonix will try to auto-start Tor when whonix-gw is started. It makes a lot of sense. :slight_smile:

1 Like

That should just be

"$@"
1 Like

Double use of DisableNetwork 1 will not crash Tor. It will crash anon-connection-wizard when it wants to start Tor but it can not find /run/tor/control. I will handle this error. :slight_smile:

1 Like

Hi Patrick! I have been thinking about this for a while.

I agree that only 40_.torrc and 50_user.torrc is modified is inconsistent. And it seems anon-connection-wizard will be too “powerful” if it also edit “/etc/tor/torrc /etc/torrc.d /usr/local/etc/torrc.d”.

Therefore, here is my new proposal:

  1. anon-connection-wizard will write DisableNetwork 0 to 40_anon_connection_wizard.torrc when user hit connect button.
  2. anon-connection-wizard will write #DisableNetwork 0 (or nothing) to 40_anon_connection_wizard.torrc when user hit disable button.
  3. The special case is when anon-connection-wizard tries to start the Tor but the final value is DisableNetwork 1 . In this case, anon-connection-wizard will tell user why Tor cannot be enabled and let user handle the DisableNetwork 1 themselves. Since DisableNetwork 1 is not a value that is commonly found on the internet, we may assume whoever uses this line has full understanding on what it means.

How do you like this proposal, Patrick?

1 Like