Bug #11593

Network disabling does not always work

Added by bertagaz about 1 year ago. Updated 11 months ago.

Status:ResolvedStart date:07/22/2016
Priority:ElevatedDue date:
Assignee:-% Done:


Target version:Tails_2.6
QA Check:Pass Blueprint:
Feature Branch: Easy:
Type of work:Code Affected tool:


The test suite has reported once that it found eth0 to be up while the network disabling option was selected in the greeter. There is probably a problem in this feature. Debug log and infos can be found in the 2016 June fragile test referencing ticket (#11087).

  Scenario: The Tails Greeter "disable all networking" option disables networking within Tails      # features/checks.feature:99
calling as root: echo 'hello?'
call returned: [0, "hello?\n", ""]
[log] CLICK on (1024,384)
calling as root: /sbin/ifconfig eth0 | grep -q 'inet addr'
call returned: [1, "", "eth0: error fetching interface information: Device not found\n"]
calling as root: date -s '@1465635115'
call returned: [0, "Sat Jun 11 08:51:55 UTC 2016\n", ""]
    Given I have started Tails from DVD without network and stopped at Tails Greeter's login screen # features/step_definitions/snapshots.rb:199
[log] CLICK on (433,404)
    And I enable more Tails Greeter options                                                         # features/step_definitions/common_steps.rb:308
[log] CLICK on (643,447)
    And I disable all networking in the Tails Greeter                                               # features/step_definitions/checks.rb:240
[log] CLICK on (512,671)
[log] CLICK on (812,712)
calling as root: test -e '/etc/sudoers.d/tails-greeter' -o -e '/etc/sudoers.d/tails-greeter-no-password-lecture'
call returned: [1, "", ""]
calling as root: test -e '/etc/sudoers.d/tails-greeter' -o -e '/etc/sudoers.d/tails-greeter-no-password-lecture'
call returned: [0, "", ""]
calling as amnesia: gsettings set org.gnome.desktop.session idle-delay 0
call returned: [0, "", ""]
calling as amnesia: gsettings set org.gnome.desktop.interface toolkit-accessibility true
call returned: [0, "", ""]
calling as amnesia: xdotool search --all --onlyvisible --maxdepth 1 --classname 'Florence'
call returned: [1, "", ""]
    And I log in to a new session                                                                   # features/step_definitions/common_steps.rb:292
calling as root: . /usr/local/lib/tails-shell-library/hardware.sh && get_all_ethernet_nics
call returned: [0, "eth0\n", ""]
    Then no network interfaces are enabled                                                          # features/step_definitions/mac_spoofing.rb:75
      <0> expected but was
      <1>. (Test::Unit::AssertionFailedError)
      ./features/step_definitions/mac_spoofing.rb:79:in `/^(\d+|no) network interface(?:s)? (?:is|are) enabled$/'
      features/checks.feature:104:in `Then no network interfaces are enabled'
      Scenario failed at time 00:58:11

      Screenshot: https://jenkins.tails.boum.org/job/test_Tails_ISO_devel/400/artifact/build-artifacts/00:58:11_The_Tails_Greeter__disable_all_networking__option_disables_networking_within_Tails.png

      Video: https://jenkins.tails.boum.org/job/test_Tails_ISO_devel/400/artifact/build-artifacts/00:58:11_The_Tails_Greeter__disable_all_networking__option_disables_networking_within_Tails.mkv

Related issues

Related to Tails - Feature #6811: Add Tails Greeter option for disabling networking Resolved 05/11/2014
Related to Tails - Bug #10774: MAC address spoofing tests are fragile Confirmed 12/18/2015


#1 Updated by intrigeri about 1 year ago

  • Related to Feature #6811: Add Tails Greeter option for disabling networking added

#2 Updated by intrigeri about 1 year ago

  • Assignee set to anonym
  • Priority changed from Normal to Elevated

Raising severity as this seems to be a potential security issue (violation of security expectations clearly communicated by the user).

Assigning to anonym, who added that feature. I'll probably propose a patch that hides this option if there's no progress on this ticket during the 2.6 release cycle: this will give anonym more time to research and fix this bug, without the pressure.

#3 Updated by intrigeri 12 months ago

  • Description updated (diff)

#4 Updated by intrigeri 12 months ago

There seem to be two possible explanations:

  • Could it be that the callback called in the Greeter when clicking "disable all networking" is not fast enough, and then we click "Login" before the Greeter has registered the user's decision? If that's the case, then 1. the bug is in the Greeter, not in the test suite; and 2. all other options such as using Tor bridges, and disabling MAC spoofing, are affected.
  • The code that implements the offline feature is buggy and sometimes enables network when it should not => double check that.

#5 Updated by anonym 12 months ago

I think we have a race in the greeter:

    def set_options_and_login(self):
        """Activate the selected options if they are valid""" 
        if self.validate_options():

I guess we've been relying on that login() will take enough time before it's done and the PostLogin script is called before some of the set_ functions are done. Notice that set_netconf is run last.

#6 Updated by intrigeri 12 months ago

  • Related to Bug #10774: MAC address spoofing tests are fragile added

#7 Updated by anonym 11 months ago

  • Status changed from Confirmed to Fix committed
  • Assignee deleted (anonym)
  • % Done changed from 0 to 100

A probable fix for this potential race is present in Tails Greeter 0.8.28, part of Tails 2.6~rc1. Let's consider it as an actual fix unless proven otherwise.

#8 Updated by anonym 11 months ago

  • Status changed from Fix committed to Resolved
  • QA Check set to Pass

Also available in: Atom PDF