[tor-commits] [community/master] the systemd bypass advice applies only if setcap
phw at torproject.org
phw at torproject.org
Thu Nov 19 01:42:47 UTC 2020
commit 935df8b1f5754870c720d6ac8b1e1ab3fce55e97
Author: Roger Dingledine <arma at torproject.org>
Date: Sun Sep 6 23:50:16 2020 -0400
the systemd bypass advice applies only if setcap
In its current location, the paragraph implies that you need
to turn off NoNewPrivileges in order to run obfsproxy on any port,
and I think you only need to run it if you're using a low port.
---
.../relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr b/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
index 2633204..c820d2c 100644
--- a/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
+++ b/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
@@ -55,12 +55,12 @@ Don't forget to change the `ORPort`, `ServerTransportListenAddr`, `ContactInfo`,
`sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy`
+ To work around systemd hardening, you will also need to set `NoNewPrivileges=no` in `/lib/systemd/system/tor at default.service` and `/lib/systemd/system/tor at .service` and then run `systemctl daemon-reload`. For more details, see [ticket 18356](https://gitlab.torproject.org/tpo/core/tor/-/issues/18356).
+
* Note that both Tor's OR port and its obfs4 port must be reachable.
If your bridge is behind a firewall or NAT, make sure to open both ports.
You can use [our reachability test](https://bridges.torproject.org/scan/) to see if your obfs4 port is reachable from the Internet.
-You will also need to set `NoNewPrivileges=no` in `/lib/systemd/system/tor at default.service` and `/lib/systemd/system/tor at .service` and then run `systemctl daemon-reload`. (see [bug #18356](https://trac.torproject.org/projects/tor/ticket/18356))
-
### 4. Restart tor
`systemctl restart tor`
More information about the tor-commits
mailing list