Long Wiki Edits Thread

torjunkie · July 12, 2021, 10:26am

You might be interested in this.

Open Source Security Metrics

https://metrics.openssf.org/search?q=whonix

(Whonix scoring around 48-50%)

ossf / scorecard

Release v2.0.0 · ossf/scorecard · GitHub
https://raw.githubusercontent.com/ossf/scorecard/main/cron/data/projects.csv

Result: github.com/Whonix/Whonix,criticality_score:0.482730

google / oss-fuzz

GitHub - google/oss-fuzz: OSS-Fuzz - continuous fuzzing for open source software.

(Useful for Whonix?)

Patrick · July 12, 2021, 10:49am

new wiki chapter:
VirtualBox Generic Bug Reproduction

nurmagoz · July 12, 2021, 11:33am

sure will do

Edit: fixed from them, working fine from my side.

torjunkie · July 14, 2021, 9:01pm

Thanks.

@Patrick I don’t think it is risky for us to publish Host Kernel Hardening while awaiting madaidan’s website changes - we have his permission on this forum after all.

Also, Since Tor’s sandbox feature seems perpetually broken/non-functional can/should we run Tor in a chroot jail, or at least provides wiki instructions to do so as an optional configuration?

No idea if this would work in Whonix configuration. (On a side note there is a lot of the Arch wiki we could rip off for security-related matters in our own wiki. TODO)

Tor - ArchWiki

For security purposes, it may be desirable to run Tor in a chroot. The following script will create an appropriate chroot in /opt/torchroot:

~/torchroot-setup.sh

#!/bin/bash
export TORCHROOT=/opt/torchroot

mkdir -p $TORCHROOT
mkdir -p $TORCHROOT/etc/tor
mkdir -p $TORCHROOT/dev
mkdir -p $TORCHROOT/usr/bin
mkdir -p $TORCHROOT/usr/lib
mkdir -p $TORCHROOT/usr/share/tor
mkdir -p $TORCHROOT/var/lib
mkdir -p $TORCHROOT/var/log/tor/

ln -s /usr/lib $TORCHROOT/lib
cp /etc/hosts $TORCHROOT/etc/
cp /etc/host.conf $TORCHROOT/etc/
cp /etc/localtime $TORCHROOT/etc/
cp /etc/nsswitch.conf $TORCHROOT/etc/
cp /etc/resolv.conf $TORCHROOT/etc/

cp /usr/bin/tor $TORCHROOT/usr/bin/
cp /usr/share/tor/geoip* $TORCHROOT/usr/share/tor/
cp /lib/libnss* /lib/libnsl* /lib/ld-linux-.so /lib/libresolv* /lib/libgcc_s.so* $TORCHROOT/usr/lib/
cp $(ldd /usr/bin/tor | awk ‘{print $3}’|grep --color=never “^/”) $TORCHROOT/usr/lib/

/var/log/tor/notices.log is only needed if you run hidden services

cp /var/log/tor/notices.log $TORCHROOT/var/log/tor/

cp -r /var/lib/tor $TORCHROOT/var/lib/
cp /etc/tor/torrc $TORCHROOT/etc/tor/

chown tor:tor $TORCHROOT
chmod 700 $TORCHROOT
chown -R tor:tor $TORCHROOT/var/lib/tor
chown -R tor:tor $TORCHROOT/var/log/tor

sh -c “grep --color=never ^tor /etc/passwd > $TORCHROOT/etc/passwd”
sh -c “grep --color=never ^tor /etc/group > $TORCHROOT/etc/group”

mknod -m 644 $TORCHROOT/dev/random c 1 8
mknod -m 644 $TORCHROOT/dev/urandom c 1 9
mknod -m 666 $TORCHROOT/dev/null c 1 3

if [[ “$(uname -m)” == “x86_64” ]]; then
cp /usr/lib/ld-linux-x86-64.so* $TORCHROOT/usr/lib/.
ln -sr /usr/lib64 $TORCHROOT/lib64
ln -s $TORCHROOT/usr/lib ${TORCHROOT}/usr/lib64
fi

After running the script as root, Tor can be launched in the chroot with the command:

chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor

or, if you use systemd, overload the service:

/etc/systemd/system/tor.service.d/chroot.conf

[Service]
User=root
ExecStart=
ExecStart=/usr/bin/sh -c “chroot --userspec=tor:tor /opt/torchroot /usr/bin/tor -f /etc/tor/torrc”
KillSignal=SIGINT

Patrick · July 15, 2021, 1:23pm

That would be an exclusive permission (full terms and conditions unclear, perhaps revokeable…) which doesn’t extend to anyone who would want to fork that text. Would still be proprietary (copyrighed) as per copyright laws default. Proper Open Source projects, specifically bigger ones, don’t accept content/contributions without crystal clear licensing.

chroot is not a security feature.

/lib/systemd/system/tor@default.service various systemd hardening
/etc/apparmor.d/system_tor an apparmor profile.

That is sandboxing. Potential enhancements should be contributed upstream.

A custom chroot solution would be weaker and more stability fragile.

Patrick · July 15, 2021, 1:24pm

Patrick · July 16, 2021, 7:29pm

Could you review Bitcoin: Difference between revisions - Whonix please? @HulaHoop

HulaHoop · July 16, 2021, 9:22pm

Rejected. We don’t add obscure altcoins to our wiki (which implies endorsement) just because they slapped on a buzzword (in this case “quantum”) on their website.

I have no idea what the qualifications of the people behind is or what their motives are.

Patrick · July 16, 2021, 10:37pm

For reference, was about this edit:
Bitcoin: Difference between revisions - Whonix

Patrick · July 16, 2021, 10:39pm

Patrick · July 23, 2021, 7:47pm

3 posts were merged into an existing topic: New page for Bitcoin and quantum threat

Patrick · July 18, 2021, 7:44am

New wiki chapter:
Onion v2 Deprecation

Patrick · July 18, 2021, 9:30am

new wiki page:

nurmagoz · July 18, 2021, 1:53pm

made a change with the installation command and i added apparmor-utils because it doesnt come by default with debian and without it “aa-enforce” command is not there.

Patrick · July 18, 2021, 2:36pm

Great. Reminded me to update chapter AppArmor Notifications and document apparmor-notify.

Patrick · July 23, 2021, 7:46pm

new wiki chapter:
Tor Generic Bug Reproduction

Patrick · July 23, 2021, 7:49pm

Moved all discussion duplicated in this forum thread exclusively here:

Patrick · July 27, 2021, 5:01am

New wiki page:

(Similar to:

)

Patrick · July 30, 2021, 5:19pm

Updated:

Patrick · August 2, 2021, 12:00pm

4 posts were split to a new topic: Debian bullseye port