I keep getting the following error when trying to open tor browser on a workstation app VM:
Failed to run the following command:
cp --verbose --recursive --no-clobber /var/cache/tb-binary/.cache /home/user/
I followed all of the troubleshooting methods listed on the permission issues page of the wiki and none of them worked. I created new app VMs as well and the issue persisted. I then tried a manual install of tor browser on the workstation template which did not fix the issue.
Whenever I open the browser in a workstation disposable it works fine. Does anyone know how to fix this?
Patrick
September 24, 2023, 2:43pm
2
Thereās a really complex mess related to Tor Browser and Qubes persistence which isnāt caused nor fixable by Whonix. The full technical details are here (optional):Tor Browser Advanced Topics chapter Tor Browser Update: Technical Details in Whonix wiki
If you use Tor Browser: Manual Download you need to make sure to carefully read the
Platform Specific Notice:
On that wiki page.
It is impossible to re-install Tor Browser in Template in the user home folder and then have App Qubes based on it inherit the fix. You either need to:
A) Perform manual installation in App Qube, or
B) Use the correct folder in Template as mentioned in documentation.
Iāve got this error in recent openQA run: Qubes OS openQA: qubesos-4.2-update-x86_64-Build2024022004-4.2-system_tests_whonix@64bit test results
in the anon-whonix log I see:
[2024-02-20 01:27:12] [ 19.861162] qubes.StartApp+janondisttorbrowser-dom0[1265]: cp: cannot access '/var/cache/tb-binary/.cache/tb/gpgtmpdir': Permission denied
full log: guest-anon-whonix.log Ā· GitHub
2 Likes
Patrick
February 22, 2024, 5:59pm
4
Not sure how that can happen. No changes to this mechanism for a while.
tb-updater-first-boot.service
[2024-02-20 01:18:07] [ 13.636834] systemd[1]: Starting tb-updater-first-boot.service - Helper Service for /usr/bin/torbrowser to determine when it is save to Copy Tor Browser from /var/cache/tb-binary to user home by Whonix developersā¦
[2024-02-20 01:18:08] [ 13.888924] systemd[1]: Finished tb-updater-first-boot.service - Helper Service for /usr/bin/torbrowser to determine when it is save to Copy Tor Browser from /var/cache/tb-binary to user home by Whonix developers.
Good.
[2024-02-20 01:27:12] [ 19.861162] qubes.StartApp+janondisttorbrowser-dom0[1265]: cp: cannot access ā/var/cache/tb-binary/.cache/tb/gpgtmpdirā: Permission denied
tb-updater /usr/libexec/tb-updater/tb-permission-fix should take care of that. It runs when update-torbrowser is run. Itās a short script. Runs only a few commands. Do you see any issues there?
Do you also have the log where update-torbrowser was run?
/usr/bin/update-torbrowser script:
tb_fix_permissions() {
## Do this only in Qubes Template.
## Because /usr/libexec/tb-updater/tb-permission-fix has the hardcoded assumption, that
## user 'user' exists.
if [ ! "$tb_user_home" = "/var/cache/tb-binary" ]; then
true "INFO: Skipping $FUNCNAME because tb_user_home is not /var/cache/tb-binary, ok."
return 0
fi
if [ "$tb_running_as_root" = "true" ]; then
## Already running as root. No need to use sudo.
## Fix build issue.
## /usr/bin/update-torbrowser: line 591: /usr/bin/sudo: Operation not permitted
/usr/libexec/tb-updater/tb-permission-fix
return 0
fi
## Running as user, not as root.
## Requires root, therefore running this with sudo.
## This has a sudoers exception.
sudo --non-interactive /usr/libexec/tb-updater/tb-permission-fix
}
Not sure how this (probably race condition) can happen. Ideas how to fix itā¦
I guess the first āifā in above code could be removed.
/usr/libexec/tb-updater/tb-permission-fix should be run by /usr/bin/torbrowser too. Just takes 0.1 seconds for execution. That might have prevented that issue.Not sure if /usr/libexec/tb-updater/tb-permission-fix should exit non-zero if user user does not exist.
What is the point of chown --recursive user:user /var/cache/tb-binary? So update-torbrowser can be run as non-root, as user user in Qubes Template. But I guess if that is omited in some corner cases that would not be a big deal either because that should not break copying to the user home folder if the permissions are correct.
1 Like
Patrick
February 22, 2024, 7:59pm
5
committed 07:01PM - 22 Feb 24 UTC
https://forums.whonix.org/t/tor-browser-permission-issue/17222/3
This is now in the testers repository.
Please let me know if this fixed the issue.
1 Like
Update output is included in https://openqa.qubes-os.org/tests/92211/file/update2-qubesctl-upgrade.log
Could it be because it failed?
whonix-workstation-17:out: Setting up tb-updater (3:31.5-1) ...
whonix-workstation-17:out: INFO: ARCH 'x86_64' detected.
whonix-workstation-17:out: INFO: ARCH_DOWNLOAD 'linux-x86_64' detected.
whonix-workstation-17:out: INFO: CURL_PROXY: --proxy http://127.0.0.1:8082/
whonix-workstation-17:out: INFO: Automatically setting download folder to /var/cache/tb-binary, because running inside Qubes TemplateVM and from postinst. This is useful so you get up to date versions of Tor Browser in newly created AppVMs inherited from updated TemplateVMs.
whonix-workstation-17:out: More info: /wiki/Tor_Browser/Advanced_Users#Qubes-specific
whonix-workstation-17:out: INFO: Not running inside Qubes Disposable Template, ok.
whonix-workstation-17:out: INFO: Using stable version. For alpha version, see: https://www.whonix.org/wiki/Tor_Browser#Alpha
whonix-workstation-17:out: INFO: tbb_hardcoded_version: 13.0.9
whonix-workstation-17:out: INFO: Running connectivity check... Downloading...: https://www.torproject.org
whonix-workstation-17:out: INFO: CURL_OUT_FILE: /var/cache/tb-binary/.cache/tb/temp/tbb_remote_folder
whonix-workstation-17:out: [# ] 0%[#### ] 9%[################################################## ] 100%[0G[0KINFO: Connectivity check succeeded.
whonix-workstation-17:out: INFO: Find out latest version... Downloading...: https://aus1.torproject.org/torbrowser/update_3/release/downloads.json
whonix-workstation-17:out: INFO: CURL_OUT_FILE: /var/cache/tb-binary/.cache/tb/RecommendedTBBVersions
whonix-workstation-17:out: [#### ] 8%[################################################## ] 100%[0G[0KINFO: Previously downloaded version: 13.0.8
whonix-workstation-17:out: INFO: Currently installed version: 13.0.8
whonix-workstation-17:out: INFO: Hardcoded version chosen: 13.0.9
whonix-workstation-17:out: INFO: Digital signature (GPG) download... Will take a moment...
whonix-workstation-17:out: INFO: Downloading...: https://www.torproject.org/dist/torbrowser/13.0.9/tor-browser-linux-x86_64-13.0.9.tar.xz.asc
whonix-workstation-17:out: INFO: CURL_OUT_FILE: /var/cache/tb-binary/.cache/tb/files/tor-browser-linux-x86_64-13.0.9.tar.xz.asc
whonix-workstation-17:out: [# ] 0%[# ] 0%[######### ] 18%[################################################## ] 100%[0G[0KINFO: Downloading Tor Browser...
whonix-workstation-17:out: INFO: Downloading...: https://www.torproject.org/dist/torbrowser/13.0.9/tor-browser-linux-x86_64-13.0.9.tar.xz
whonix-workstation-17:out: INFO: CURL_OUT_FILE: /var/cache/tb-binary/.cache/tb/files/tor-browser-linux-x86_64-13.0.9.tar.xz
whonix-workstation-17:out: [# ] 0%[######### ] 18%[# ] 0%[# ] 1%[# ] 2%[# ] 2%[# ] 2%[# ] 2%[# ] 2%[# ] 3%[## ] 4%[## ] 5%[### ] 6%[### ] 6%[### ] 6%[#### ] 8%[#### ] 9%[###### ] 12%[####### ] 14%[######## ] 16%[######### ] 18%[########## ] 20%[########## ] 20%[########### ] 22%[############ ] 25%[############## ] 29%[################ ] 32%[################# ] 35%[################### ] 38%[#################### ] 40%[##################### ] 43%[###################### ] 44%[####################### ] 47%[######################## ] 49%[######################## ] 49%[######################## ] 49%[######################## ] 49%[######################## ] 49%[######################## ] 49%[######################### ] 50%[######################### ] 50%[######################### ] 50%[######################### ] 50%[######################### ] 51%[########################## ] 53%[########################### ] 54%[########################### ] 55%[############################# ] 58%[############################## ] 61%[################################ ] 64%[################################## ] 69%[#################################### ] 73%[##################################### ] 74%[###################################### ] 76%[####################################### ] 79%[######################################### ] 82%[########################################## ] 85%[############################################ ] 88%[############################################# ] 90%[############################################## ] 93%[############################################### ] 95%[################################################ ] 97%[################################################# ] 99%[################################################## ] 100%[0G[0KINFO: Digital signature (GPG) verification... This will take a moment...
whonix-workstation-17:out: INFO: Using digital signature signing key by The Tor Project.
whonix-workstation-17:out: ERROR: Digital signature (GPG) could NOT be verified.
whonix-workstation-17:out: Tor Browser update failed! Try again later.
whonix-workstation-17:out: gpg_bash_lib_output_alright_status: false
whonix-workstation-17:out: gpg_bash_lib_output_failure:
whonix-workstation-17:out: gpg_bash_lib_output_diagnostic_message:
whonix-workstation-17:out: gpg_bash_lib_internal_gpg_verify_status_fd_file: /var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_status_fd_file
whonix-workstation-17:out: gpg_bash_lib_internal_gpg_verify_output_file: /var/cache/tb-binary/.cache/tb/gpgtmpdir/gpg_bash_lib_internal_gpg_verify_output_file
whonix-workstation-17:out: gpg_bash_lib_output_gpg_import_output:
whonix-workstation-17:out: gpg: keybox '/var/cache/tb-binary/.cache/tb/gpgtmpdir/pubring.kbx' created
whonix-workstation-17:out: gpg: /var/cache/tb-binary/.cache/tb/gpgtmpdir/trustdb.gpg: trustdb created
whonix-workstation-17:out: gpg: key 4E2C6E8793298290: public key "Tor Browser Developers (signing key) " imported
whonix-workstation-17:out: gpg: Total number processed: 1
whonix-workstation-17:out: gpg: imported: 1
whonix-workstation-17:out: gpg_bash_lib_output_gpg_verify_output:
whonix-workstation-17:out: gpg: Signature made Tue 23 Jan 2024 01:14:38 PM UTC
whonix-workstation-17:out: gpg: using RSA key 613188FC5BE2176E3ED54901E53D989A9E2D47BF
whonix-workstation-17:out: gpg: Good signature from "Tor Browser Developers (signing key) " [ultimate]
whonix-workstation-17:out: gpg: Note: This key has expired!
whonix-workstation-17:out: Primary key fingerprint: EF6E 286D DA85 EA2A 4BA7 DE68 4E2C 6E87 9329 8290
whonix-workstation-17:out: Subkey fingerprint: 6131 88FC 5BE2 176E 3ED5 4901 E53D 989A 9E2D 47BF
whonix-workstation-17:out: gpg_bash_lib_output_gpg_verify_status_fd_output:
whonix-workstation-17:out: [GNUPG:] NEWSIG
whonix-workstation-17:out: [GNUPG:] KEYEXPIRED 1708337812
whonix-workstation-17:out: [GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
whonix-workstation-17:out: [GNUPG:] KEYEXPIRED 1708337812
whonix-workstation-17:out: [GNUPG:] SIG_ID rxAqCaIbxFx+4a5gF4cYANIPg6Q 2024-01-23 1706015678
whonix-workstation-17:out: [GNUPG:] KEYEXPIRED 1708337812
whonix-workstation-17:out: [GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
whonix-workstation-17:out: [GNUPG:] EXPKEYSIG E53D989A9E2D47BF Tor Browser Developers (signing key)
whonix-workstation-17:out: [GNUPG:] VALIDSIG 613188FC5BE2176E3ED54901E53D989A9E2D47BF 2024-01-23 1706015678 0 4 0 1 10 00 EF6E286DDA85EA2A4BA7DE684E2C6E8793298290
whonix-workstation-17:out: [GNUPG:] KEYEXPIRED 1708337812
whonix-workstation-17:out: [GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
whonix-workstation-17:out: [GNUPG:] KEYEXPIRED 1708337812
whonix-workstation-17:out: [GNUPG:] KEY_CONSIDERED EF6E286DDA85EA2A4BA7DE684E2C6E8793298290 0
whonix-workstation-17:out: INFO: Failing open. More info:
whonix-workstation-17:out: https://www.whonix.org/wiki/Tor_Browser/Advanced_Users#Tor_Browser_Update:_Technical_Details
Anyway, Iāll watch next test run closely.
2 Likes
Patrick
February 24, 2024, 5:38pm
7
This is very most likely the reason for the race condition. Because if gpg verification fails, function tb_fix_permissions isnāt reached.
In any case, torbrowser (tb-starter by Whonix developers) now guards against such race condition(s).
1 Like