Running Services *Securely* -- chroot and virtualization
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Running Services *Securely* -- chroot and virtualization
I'd like to run a Tor relay, but am trying to understand the security implications.
For some time I've run my torrent client in a VirtualBox virtual machine, which is run as a very non-prived user, bridges directly to The Internets, and writes to one directory on the host. My belief is this is about as secure as it can be, but am open to suggestion.
If I run a relay in the VM it wouldn't be associated with my use of Tor as a client, which is fine since there is no technical need for them to be connected and it's desirable for security.
I read that chroot jails can be broken, particularly when run as root, so I don't really trust that. Also studied a vserver, but it must share the network setup which doesn't strike me as isolated enough.
I don't really have a direct answer to your question about isolation and virtualization for Tor. I think a lot of what it comes down to is whether or not you trust the Tor application. In theory, the user's who are transmitting data are not accessing your machine per say. Rather a small amount of encrypted packet traffic is being shuffled through your system by a daemon process that listens for connections on a specified port and forwards them to the next hop. In practice, it would be detrimental to the Tor project to distribute binaries that would allow remote control or access of your system as the project would likely implode upon itself almost immediately upon discovery. If I recall correctly from what I read of the documentation, the project was deliberately designed to prevent this scenario, but it comes down to trusting the three individuals who administer the system and the signing keys for the control nodes. If you received your download from a known, signed source, the likelihood of receiving a compromised application is very small.
Personally, I run a Tor relay node, but not an exit node. After careful consideration, I am not comfortable running an exit node. I run a couple of public facing servers on a static, business grade Internet from one of the larger ISPs in the USA. This makes my traffic more locatable than most, but it is part of the cost of doing business. This is also why I value projects like Tor which allows me to turn off the spotlight on my personal activity when I want to. It is for this reason that I chose to contribute to Tor, yet I am uncomfortable running an exit relay risk to the business reputation.
Noway2 raises some good points, but I still think you should seek feedback on the insecurity of your proposed setup by reposting your question in Debian User Forums.
I believe what he is trying to say is the topic gets into territory that is prohibited by the 13th LQ bulletized rule:
Quote:
Posts containing information about cracking, piracy, warez, fraud or any topic that could be damaging to either LinuxQuestions.org or any third party will be immediately removed
The site forums.debian.net has no such rule. From reading their forum rules, it is even unclear whether it was intended for this type of content to be banned.
Peufelon, if you have any question regarding whether or not the content you would like to post is objectionable under rule 13, you could run it by a moderator and ask for suggestions on how to sufficiently sanitize it.
I believe what he is trying to say is the topic gets into territory that is prohibited by the 13th LQ bulletized rule:
Really. So the suggestion is either that
a. Tor has to do with "cracking, piracy, warez, fraud or any topic that could be damaging to either LinuxQuestions.org", or
b. that I am trying to crack Tor by protecting my machine.
People think very one sided on here when it comes to this. Probably the aspect I hate most about LQ. Well then again I only hang out in security anyway. But yea I've defended a few people over the past because just because they have TOR in their post they get automatically shunned. Ridiculous.
On the other side, if they do automatically shun things like this they are mitigating their risk of posts that go against the rules fairly well. Guess the question comes down to where should the line be drawn.
If you used something like 'VPN relay' instead of TOR I bet you would have gotten a lot more/better responses.
When you take any security classes such as the ones offered from SANS they talk about defense in depth which equates to layers. I think the same principle would apply here. I haven't heard of anyone seeing any unwanted activity from running a TOR relay that wasn't an end node. That doesn't mean it can't happen but just that it hasn't surfaced yet.
I would think something like:
old laptop (in dmz or on it's own vpn) -> selinux -> chroot -> tor relay
or
virtual machine (on a seperate nic) -> selinux -> chroot -> tor relay
or even
virtual machine -> selinux -> chroot -> tor relay
I just like the extra security in there for selinux. Not that it itself hasn't had flaws in the past but it adds another layer.
Thanks nom, but all of those myst be in my LAN's class C in order to reach the router looking out. I'm pretty happy running a VM bridged to the class C, except it's in the same class C as the rest of my LAN, necessarily so since I have only one router on The Internets.
I am surprised and disappointed at how frightened everyone here is of the rules without understanding what this is all about.
Thanks nom, but all of those myst be in my LAN's class C in order to reach the router looking out. I'm pretty happy running a VM bridged to the class C, except it's in the same class C as the rest of my LAN, necessarily so since I have only one router on The Internets.
I am surprised and disappointed at how frightened everyone here is of the rules without understanding what this is all about.
I don't know if you are on a laptop or desktop but if you are on a desktop or a laptop with multiple nics you can always dedicated one for your virtual machine then set it up in a vpn on your router so it is segregated from the rest of your lan.
Two hardwire servers and a wifi laptop, on a Netgear WNDR3700. VPN does not seem to be available on consumer-grade routers, only on ProSafe. Although I'm duly impressed with ProSafe, probably my next router & client cards will be from UBNT given their awesome NanoBridgeM2.
Anyway the router has the WAN connection to the NanoBridge to the far router to the cablemodem, thus is the only way out. LAN is 192.168.11.0 and WAN is 192.168.1.0 (NanoBridge, far router, cablemodem). If I put a switch between the router and cablemodem and joined the separate Tor interface there, my router would still be in the party. Far router doesn't have VPN either, although the NanoBridge does have VPN passthrough.
If I set a second IP on my server's interface for Tor, say 192.168.1.5 the LAN wouldn't know what to do with it, so should forward it out the default route to the NanoBridge. Problem is I need to port-forward in the far router so the Tor daemon can serve. Have the NanoBridge in bridging mode so shouldn't have to port-forward there.
Struggling...
Last edited by Quantumstate; 06-01-2011 at 07:26 PM.
(..) I still think you should seek feedback on the insecurity of your proposed setup by reposting your question in Debian User Forums.
Unless enough time has passed and LQ hasn't shown any support slash expertise please don't redirect to other forums and certainly not repeatedly. If you do then advertising a remote forum once is OK, twice is pushing it but thrice really is overkill.
Quote:
Originally Posted by nomb
People think very one sided on here when it comes to this. Probably the aspect I hate most about LQ. Well then again I only hang out in security anyway. But yea I've defended a few people over the past because just because they have TOR in their post they get automatically shunned. Ridiculous. On the other side, if they do automatically shun things like this they are mitigating their risk of posts that go against the rules fairly well. Guess the question comes down to where should the line be drawn.
I remind you (all) that any member may question the validity of a post and report potential transgressions but only moderators will tell you (all) if a LQ Rule violation has taken place. Since the OP doesn't contain questions about circumventing (network) access restrictions, penetration testing, cracking or warez peddling so far there is no LQ Rule violation, period. So y'all please focus on what's asked, TIA.
Quote:
Originally Posted by Quantumstate
(..) trying to understand the security implications. (..) If I run a relay in the VM it wouldn't be associated with my use of Tor as a client, which is fine since there is no technical need for them to be connected and it's desirable for security. I read that chroot jails can be broken, particularly when run as root, so I don't really trust that. Also studied a vserver, but it must share the network setup which doesn't strike me as isolated enough.
IMO Noway2 and nomb already addressed host and service security but I should point you to the official documentation and particularly How to Run a Secure Tor Server (documentation index) as, apart from chrooting, there don't seem to be any specific security-related questions in your OP. As for chrooting and TOR (and of course having read the often-cited paper) TOR doesn't run as root by default apart from executing the binary at startup and drops root rights running under in the unprivileged "tor" user account. Looking at the 2010 / 2011 CVE entries for TOR (also see the TOR bug tracker) you see the majority of issues have been with potential denial of service situations and only one entry is about possible arbitrary code execution so I second the suggestion of using an Operating System or distribution with additional security features like SELinux as it curbs excessive access rights and has proved it can contain breaches of security. However from your latest reply:
Quote:
Originally Posted by Quantumstate
(..) my router would still be in the party. Far router doesn't have VPN either (..) LAN wouldn't know what to do (..) I need to port-forward in the far router so the Tor daemon can serve.
it seems you're not as much interested in host and service-related security issues as in network-related ones making this seem more like a network issue.
If that is indeed the case then I'd suggest you create a new thread for that in the Networking forum.
IMO Noway2 and nomb already addressed host and service security but I should point you to the official documentation and particularly How to Run a Secure Tor Server (documentation index) as, apart from chrooting, there don't seem to be any specific security-related questions in your OP.
Eh? The overarching question is how to run a relay (in fact any daemon) securely. I suggested my ideas, which each have flaws, and now I have a more complete list:
- chroot jail can be broken by a skilled cracker.
- VirtualBox VM bridged to LAN still must share the LAN class C, and could potentially monitor internal traffic. (And please don't quibble with me calling it a class C... they have to make up a name and stick with it. I still call Nissan's a Datsun)
- VPN to router, most routers do not have VPN functionality, only the business-class like ProSafe.
Quote:
Originally Posted by unSpawn
As for chrooting and TOR (and of course having read the often-cited paper) TOR doesn't run as root by default apart from executing the binary at startup and drops root rights running under in the unprivileged "tor" user account.
Thank you. But be advised that it's usually a matter of only a few weeks between local privilege escalation exploits for Linux are published on lists like Full-Disclosure, and those are just the ones that are not sold. Security boundaries on shared commodity hardware have almost always turned out to be ineffective. They're a myth, like Santa Claus, one that basically honest and good-natured people agree to believe in because of the huge cost savings it enables (over having to purchase separate hardware for every category of data).
But this latest round of virtualization technology is holding up better than I'd expected. Looking like a VM is a good start.
Quote:
Originally Posted by unSpawn
However from your latest reply:
it seems you're not as much interested in host and service-related security issues as in network-related ones making this seem more like a network issue.
If that is indeed the case then I'd suggest you create a new thread for that in the Networking forum.
Eh? The overarching question is how to run a relay (in fact any daemon) securely. It is a systems question, which happens to include networking.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.