[tor-bugs] #13805 [Tor]: Improve hardening in tor.service
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sun Jan 11 15:44:46 UTC 2015
#13805: Improve hardening in tor.service
--------------------------+--------------------------------
Reporter: candrews | Owner: candrews
Type: defect | Status: needs_review
Priority: normal | Milestone: Tor: 0.2.6.x-final
Component: Tor | Version:
Resolution: | Keywords: systemd
Actual Points: | Parent ID:
Points: |
--------------------------+--------------------------------
Comment (by tomek@…):
Hi,
I generally ACK these changes, although:
1) I would drop the line: `ReadWriteDirectories =
- at LOCALSTATEDIR@/run/tor`
This (/var)/run/tor directory doesn't seem to be used anywhere in Tor
source. It's only used by some init scripts to drop PIDFile there. As we
discussing configuration which will only be used by systemd, this
directory is not needed at all.
If there's really a need to have it, I suggest putting
`RuntimeDirectory=tor` in unit file, but I think it would be unnecesary.
2) Directives introduced in v217, like `ProtectHome=`, can be used on
earlier versions. Systemd will report "unknown directive" but it won't
stop the unit from working. I expect when Tor with above changes hit the
distributions, they will be already running recent systemd or backported
the ProtectHome= options.
I run Tor with the changes as in comment:8, with:
- removed the line as in 1)
- added `CapabilityBoundingSet = CAP_SETUID CAP_SETGID
CAP_NET_BIND_SERVICE`
And everything seem to work fine. Please apply.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13805#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list