[tor-dev] Are DAC_OVERRIDE & CHOWN capabilities required for ControlSocket?

Nusenu nusenu at openmailbox.org
Sun Apr 12 12:46:26 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

tor will fail to startup with the current systemd service file [1]
if your torrc makes use of the ControlSocket feature.

To work around the issue one has to additionally allow the following
capabilities:
CAP_DAC_OVERRIDE
CAP_CHOWN
since the socket file is create as root and then changed to the tor
user (chown).

Is it possible to change this to not require
CAP_DAC_OVERRIDE and CAP_CHOWN capabilities anymore?

thanks,
Nusenu

[1]
https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in#n
26
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVKmkiAAoJEFv7XvVCELh0Qk8QAITqZiFwp+nBIywWgLLQ5m6K
CNkRa+HcNk3sCJKFWOzXqLP4Q1mIUrPWT6Mm+LbwLvo8uRnJqBNL5H0F+kDgYfyO
wAsnRicwmoNfHa8hb292nj4p4eV/gQf9J94/creDl99jrtlgYBeLWY8toUZy452x
QvAny7EC9Gt06/zMyNJxvVhb1SgthLsIfN6LXizH0Xe1y6m1Kh4XW/py5nvuMwmR
sZg1QyUxQ8uJIs73J0KnuGZrzloJGN6IZmJ4EZ250gTUty3VtgvOTAu7W6KsGC2F
dyHFqbJqHnEPLUn2ITxcmxBGduG7TWueh1+2KElVMQI9+j8IsD+9xGHUPtiywVEJ
VpxaUlDqOu0tNovRPzkM01pg9KTqvydJ7BgAV0GgpoAH1rnYuEIh+kqieHvOLN96
uSuOjzTD87sHClWfIhuf645GCK+iy2Ln6f8yzxZn2DT870/yraX7eCaAK6gQt803
FMdBY2qtw3rFuGMW9ca/LTGlu04BrQb/boIEMhUMLdfAdBbJxYPuTbKbtBCbfcew
NtB+5sxAuy2o8XcHsX/6gjDBi4rb7xp5QKy5xgsavE+uqyXAwCKNFF5yT7HNYX33
UMnSG1069frMXAGTYAPzQp+7dVLGs6h+xPx8aut/SoZqHjQOxQ6Qv5PtgltRvfv3
ZsOrqE5a0aly6OsspTUN
=/5TL
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list