So, in the ancient times I wrote a blog post on how to run a Tor bridge on a non privileged port (< 1024). Water flows, time flies, operating systems get updated and security increases. As a result, our good old howto is not valid anymore.

I found it the usually hard way: I upgraded my Tor Bridge server from Ubuntu14 to Ubuntu16 and obfs4proxy wasn’t able anymore to bind to port 80 and 443:

Tor[748]: Server managed proxy encountered a method error. (obfs3 listen tcp [::]:443: bind: permission denied)

After some searching here and there I found the culprit to be the new systemd hardened configuration, so the Tor service configuration needs to be overridden. Let’s make the configuration from scratch, so if someone needs to install a Tor Bridge on a non privileged port on Ubuntu 16.04 gets everything in one place (Ubuntu18 is untested, but it’s likely to be the same).

Let’s install Tor using their repositories, to be up to date with the latest stable release.

apt -y install apt-transport-https
cat <<EOT >> /etc/apt/sources.list.d/tor.list
deb https://deb.torproject.org/torproject.org xenial main
deb-src https://deb.torproject.org/torproject.org xenial main
deb https://deb.torproject.org/torproject.org obfs4proxy main
EOT
gpg --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -
apt update
apt -y install tor deb.torproject.org-keyring obfs4proxy

So now we have latest stable Tor installed on our Ubuntu16 with obfs4proxy as well. We now configure Tor server with the Bridge configuration (update the ContactInfo and Nickname fields with your data):

mv /etc/tor/torrc{,_DEFAULT}
 
cat << EOF > /etc/tor/torrc
ExitPolicy reject *:*
#Bridge config
RunAsDaemon 1
ORPort&nbsp;4235
BridgeRelay 1
ServerTransportPlugin obfs3,obfs4 exec /usr/bin/obfs4proxy
ServerTransportListenAddr obfs3 [::]:443
ServerTransportListenAddr obfs4 [::]:80
ExtORPort auto
ContactInfo your <contact@info>
Nickname <node_nickname>
EOF

And configuration is done. Update the ServerTransportListenAddr with your preferred transport and options. Let’s now give obfs4proxy the permissions to run on privileged ports:

setcap 'cap_net_bind_service=+ep' /usr/bin/obfs4proxy

And here we are, at the point of the previous blog post, but on the new Ubuntu16 with the above error. We now need to lower the security of Tor systemd process by making an override of Tor’s systemd service files.

Run the following commands and, for both of them, when the editor opens paste what’s in the next box:

systemctl edit tor@
systemctl edit tor@default

In the editor paste the following:

[Service]
NoNewPrivileges=no

Units are being reloaded automatically by edit, so now we just have to restart Tor with:

systemctl restart tor

That’s it! You should see in your logs:

Sep  6 12:55:47 Tor[860]: Tor 0.3.3.9 (git-ca1a436fa8e53a32) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g, Zlib 1.2.8, Liblzma 5.1.0alpha, and Libzstd N/A.
Sep  6 12:55:47 Tor[860]: Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Sep  6 12:55:47 Tor[860]: Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Sep  6 12:55:47 Tor[860]: Read configuration file "/etc/tor/torrc".
Sep  6 12:55:47 Tor[860]: Skipping obsolete configuration option 'ORListenAddress'
Sep  6 12:55:47 Tor[860]: Based on detected system memory, MaxMemInQueues is set to 768 MB. You can override this by setting MaxMemInQueues by hand.
Sep  6 12:55:47 Tor[860]: I think we have 32 CPUS, but only 4 of them are available. Telling Tor to only use 4. You can override this with the NumCPUs option
Sep  6 12:55:47 Tor[860]: Scheduler type KIST has been enabled.
Sep  6 12:55:47 Tor[860]: Opening Socks listener on 127.0.0.1:9050
Sep  6 12:55:47 Tor[860]: Opening OR listener on 0.0.0.0:9111
Sep  6 12:55:47 Tor[860]: Opening Extended OR listener on 127.0.0.1:0
Sep  6 12:55:47 Tor[860]: Extended OR listener listening on port 34138.
Sep  6 12:55:48 Tor[860]: Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Sep  6 12:55:48 Tor[860]: Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Sep  6 12:55:48 Tor[860]: Configured to measure statistics. Look for the *-stats files that will first be written to the data directory in 24 hours from now.
Sep  6 12:55:48 Tor[860]: Your Tor server's identity key fingerprint is 'nickname SOMERANDOMHASH'
Sep  6 12:55:48 Tor[860]: Your Tor bridge's hashed identity key fingerprint is 'nickname SOMERANDOMHASH'
Sep  6 12:55:48 Tor[860]: Bootstrapped 0%: Starting
Sep  6 12:55:58 Tor[860]: Starting with guard context "default"
Sep  6 12:55:58 Tor[860]: Bootstrapped 80%: Connecting to the Tor network
Sep  6 12:55:58 Tor[860]: Signaled readiness to systemd
Sep  6 12:55:58 systemd[1]: Started Anonymizing overlay network for TCP.
Sep  6 12:55:58 Tor[860]: Opening Socks listener on /var/run/tor/socks
Sep  6 12:55:58 Tor[860]: Opening Control listener on /var/run/tor/control
Sep  6 12:55:58 Tor[860]: Bootstrapped 85%: Finishing handshake with first hop
Sep  6 12:55:58 Tor[860]: Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
Sep  6 12:55:59 Tor[860]: Registered server transport 'obfs3' at '[::]:443'
Sep  6 12:55:59 Tor[860]: Registered server transport 'obfs4' at '[::]:80'
Sep  6 12:55:59 Tor[860]: Bootstrapped 90%: Establishing a Tor circuit
Sep  6 12:55:59 Tor[860]: Tor has successfully opened a circuit. Looks like client functionality is working.
Sep  6 12:55:59 Tor[860]: Bootstrapped 100%: Done

Some background

The problem has been raised on Tor’s ticket 18356. It’s a rather old issue, and no action seems to have been taken in the meantime. It seems unlikely that we will get a resolution anytime soon.

The NoNewPrivileges option ensure that the application  being executed doesn’t request new privileges. By overriding the configuration and disabling this feature we allow again obfs4proxy  to raise its privileges and bind to a privileged port (< 1024).

Header photo by Annie Spratt on Unsplash