[tor-dev] what capabilities does tor need for reloading?

Nusenu nusenu at openmailbox.org
Wed Mar 18 10:15:28 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

'systemctl reload tor'
fails due to hardening restrictions in tor's systemd service file [1]:

CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE

Removing that line "solves" the reload issue.
Reloading with that line does not generate any tor debug loglines.

What capability would one have to add to the list to make it work with
CapabilityBoundingSet?

thanks,
Nusenu

testing with: tor 0.2.6.4, jessie/systemd 215


[1]
https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in#n26
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVCVA7AAoJEFv7XvVCELh0bWIQAKfDZdhwrcWzwOHEP/o3FMoa
BTkMxjHdEDezlaHd61/XWHC1cYNOi6kqe/xGL1HRMtDwl09tbn3lq0Vty9P9hBP5
ucLaS1Izz0w7VprEd4ZK+/G4pV8Ht6Kjd7LSaV8RsjdCfK9g5WaI/IDIVGbYKUnC
NVJxY+XCxZsvMmkfCUo1un6yZ/p0eQEfksDwtDvf7EupIy3o5wYJhM1bcvVzm/3H
UenP8t8VBb7TVOBRuZUyMzS173db/SKp2tY1IOiUktzyJqzzck8gPJvQ4l8DoeqM
E2yVr+Qvex/IXRx379sJTyBJt9xthC9BS91uUJA0G3dbYVSvRoUN5XDjaqYztSN3
ctkjT3cocLDu43EslGo/Egh+xWTMdnTvcaTIoLkD5IN4FWu3IrjWnG0gOOyNyPf5
F4UfCty5xn9ztb0y7Zf2GOliR9CnkSB8PIuMt4ManvrMGOwYPZw1KsGsc49UYadn
XhEUj1uzf3FBZw2LmbiBR5lNGX2WanWt83EwkiH03MsBkouD60+D/RJ5UQ8pVEwm
JHLBqbT2GtBCda3OIPec1kdh3P5TFF+aN9aC1HkVsYRwoUJtIjxPg3wkrOVCU4VF
ZJVbqlVuJQn8/3GnphkQgt+jJqTl3b4Ttksu+omGJgYU2Wu42VNFvCFraeQ75q4J
D1NinH/G/3I3KBYP+JNu
=/eJ6
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list