Issue with tb-updater and privleap

Support
1

With latest tb-updater (3:36.9-1) which depends on privleap there is an issue rendering it nonfunctional after upgrade.

From the apt-get dist-upgrade output

Created symlink /etc/systemd/system/user@.service.wants/leapctl@.service → /lib/systemd/system/leapctl@.service.
/etc/privleap/conf.d/tb-updater.conf:4:error:Unrecognized header 'tb-permission-fix'
WARNING: privleap configuration invalid. Not restarting privleapd. Run configuration check using: privleapd --check-config

and when running update-torbrowser --debug

+ tb_run_function tb_fix_permissions
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_fix_permissions'\'', because tb_skip_functions does not include it.'
+ tb_fix_permissions
+ '[' false = true ']'
+ leaprun tb-permission-fix
ERROR: Could not connect to privleapd!

Status of leapctl@ and privleapd services.

× leapctl@1000.service - leapctl - Enable access to privleap for each user
     Loaded: loaded (/lib/systemd/system/leapctl@.service; disabled; preset: en>
     Active: failed (Result: exit-code) since Fri 2025-03-07 06:31:25 UTC; 1min>
    Process: 4546 ExecStart=/usr/bin/leapctl --create 1000 (code=exited, status>
   Main PID: 4546 (code=exited, status=2)
        CPU: 45ms


● privleapd.service - privleap - Limited Privilege Escalation Framework
     Loaded: loaded (/lib/systemd/system/privleapd.service; enabled; preset: en>
     Active: active (running) since Fri 2025-03-07 06:31:25 UTC; 1min 22s ago
   Main PID: 4534 (privleapd)
     Status: "Fully started"
      Tasks: 1 (limit: 9475)
     Memory: 9.6M
        CPU: 60ms
     CGroup: /system.slice/privleapd.service
             └─4534 /usr/bin/python3 -u /usr/bin/privleapd

Thank you

2

Fixed after reboot?

File content of /etc/privleap/conf.d/tb-updater.conf should match tb-updater/etc/privleap/conf.d/tb-updater.conf at master · Kicksecure/tb-updater · GitHub. Just for verification. No user action required.

3

I can reproduce the same issue after a reboot. Also this change in leapctl status.

× leapctl@1000.service - leapctl - Enable access to privleap for each user
     Loaded: loaded (/lib/systemd/system/leapctl@.service; disabled; preset: enabled)
     Active: failed (Result: exit-code) since Fri 2025-03-07 09:12:13 UTC; 43s ago
    Process: 1091 ExecStart=/usr/bin/leapctl --create 1000 (code=exited, status=2)
   Main PID: 1091 (code=exited, status=2)
        CPU: 45ms

Mar 07 09:12:13 host systemd[1]: Starting leapctl@1000.service - leapctl - Enable access to privleap for each user...
Mar 07 09:12:13 host leapctl[1091]: ERROR: User 'user' is not permitted to have a comm socket!
Mar 07 09:12:13 host systemd[1]: leapctl@1000.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Mar 07 09:12:13 host systemd[1]: leapctl@1000.service: Failed with result 'exit-code'.
Mar 07 09:12:13 host systemd[1]: Failed to start leapctl@1000.service - leapctl - Enable access to privleap for each user.

File contents matches.

Thank you

1 Like
4

dist-base-files update was missing in the stable repository. After upgrade + reboot this should be hopefully fixed.

1 Like
5

Fixed

1 Like