[tor-dev] what capabilities does tor need for reloading?

Nick Mathewson nickm at alum.mit.edu
Wed Mar 18 12:14:19 UTC 2015


On Wed, Mar 18, 2015 at 6:15 AM, Nusenu <nusenu at openmailbox.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> 'systemctl reload tor'
> fails due to hardening restrictions in tor's systemd service file [1]:
>
> CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
>
> Removing that line "solves" the reload issue.
> Reloading with that line does not generate any tor debug loglines.
>
> What capability would one have to add to the list to make it work with
> CapabilityBoundingSet?

It probably depends on what's in your configuration.  My first guess
on how to find out would be to look to see if you can possibly use
strace or gdb or something to figure out what system call is failing.
You might need to temporarily add DisableDebuggerAttachment 0 to your
configuration file to allow you to attach a debugger.

cheers,
-- 
Nick


More information about the tor-dev mailing list