[tor-dev] tor not starting with NoNewPrivileges = yes (systemd)

Nusenu nusenu at openmailbox.org
Tue Mar 17 15:54:09 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I'm currently preparing/testing a systemd unit file (#14995) for
debian (wheezy-backports/systemd 204) based on the one shipped by tor [1].

It does not work yet, and although the 'fix' would be easy - simply
remove:
NoNewPrivileges = yes
I'd like to hear from you before removing such a security feature.

Does tor require new privileges to work?

It actually fails in two instances:

1) before actually starting the tor daemon (--verify-config):

Process: 2844 ExecStartPre=/usr/bin/tor -f /etc/tor/torrc
- --verify-config (code=exited, status=227/NO_NEW_PRIVILEGES)

2) and when actually starting the daemon

thanks,
Nusenu

I'm testing with
0.2.5.10-1~d70.wheezy

minimal test torrc used:
User debian-tor
DataDirectory /var/lib/tor
Log debug file /var/log/tor/log


[1]
https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in#n25

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVCE4hAAoJEFv7XvVCELh0AsMP/2DhEt+oLcSyN0w5pN6iyy2B
O3WI+k4ZpC+OVKtRdQPcdmiCodo4So70ZGN3qEJKDTVLHW1YFn2p7z0a57OvYvkA
SfQEy6yilQ1cUUMYUNj34WOdsq/tKDSmWQnJRvSUkdt1G2/WUJ14t0NRdR0KIzy0
bFQUYSkp2mnal8GpAldhx5q8P7zRlnf/fJC2gsQMJEEtPFwTGAl++cZ1mvuf00zk
TsLo0L4BJ4EkAA4txJ8aihbYVZI0mJn2rWSc9OHVElNNiSYN2+d1k3bhCZHY/K2N
yFnYY1lqoBcpmHakSOs2NqJx7arSMZY59oFR4Z9qBK+bpFQohzwOmV47Qfj8vahV
CkDEIlh9OAYn59MahsBGJFMl/lSEVSAD60ZcTb3tveJEDSFtBJx9ey0P21MTlukh
b+JUjc28UmNxLwHz/2bpe4+RZ0qKY2g+NnlbupNU+FUZGH9aiAxvpVKzFcxwvh6n
wFiiRnQ8wWMZSMB5iOvltjt8jtxy2cvLrDypbsyEI28CdTuqAD+V0DrAn91Qyd2G
aQwW+XkplwgiX8lVS8pno8P+EpAEoN1av8R2IVayN4zsp/IkgTff2W6GzTm4jQIB
eL3vJz5OaK8q32wABNIMq7kaKs2O8VLbuxilZMDb0dmSozTQwNztpUsJFTiOZpbG
yJllYQDwN3VuDBO9QXGY
=osrb
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list