[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #13805 [Tor]: Improve hardening in tor.service

Subject: Re: [tor-bugs] #13805 [Tor]: Improve hardening in tor.service
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Sun, 11 Jan 2015 15:44:46 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Sun, 11 Jan 2015 10:44:56 -0500
In-reply-to: <048.e437d32453985d45b08225555baf02c3@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <048.e437d32453985d45b08225555baf02c3@xxxxxxxxxxxxxx>
Reply-to: tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#13805: Improve hardening in tor.service
--------------------------+--------------------------------
     Reporter:  candrews  |      Owner:  candrews
         Type:  defect    |     Status:  needs_review
     Priority:  normal    |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor       |    Version:
   Resolution:            |   Keywords:  systemd
Actual Points:            |  Parent ID:
       Points:            |
--------------------------+--------------------------------

Comment (by tomek@â):

 Hi,

 I generally ACK these changes, although:

 1) I would drop the line: `ReadWriteDirectories =
 -@LOCALSTATEDIR@/run/tor`
    This (/var)/run/tor directory doesn't seem to be used anywhere in Tor
 source. It's only used by some init scripts to drop PIDFile there. As we
 discussing configuration which will only be used by systemd, this
 directory is not needed at all.
    If there's really a need to have it, I suggest putting
 `RuntimeDirectory=tor` in unit file, but I think it would be unnecesary.

 2) Directives introduced in v217, like `ProtectHome=`, can be used on
 earlier versions. Systemd will report "unknown directive" but it won't
 stop the unit from working. I expect when Tor with above changes hit the
 distributions, they will be already running recent systemd or backported
 the ProtectHome= options.

 I run Tor with the changes as in comment:8, with:
 - removed the line as in 1)
 - added `CapabilityBoundingSet = CAP_SETUID CAP_SETGID
 CAP_NET_BIND_SERVICE`

 And everything seem to work fine. Please apply.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13805#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #14137 [Tor]: Make Tor tests pass under Wine
Next by Author: Re: [tor-bugs] #14142 [Tor]: A 2-letter torrc file containing "Vi" causes tor to crash
Previous by thread: Re: [tor-bugs] #13805 [Tor]: Improve hardening in tor.service
Next by thread: Re: [tor-bugs] #13805 [Tor]: Improve hardening in tor.service
Index(es):
- Author
- Thread