[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #13805 [Tor]: Improve hardening in tor.service



#13805: Improve hardening in tor.service
--------------------------+--------------------------------
     Reporter:  candrews  |      Owner:
         Type:  defect    |     Status:  new
     Priority:  normal    |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor       |    Version:
   Resolution:            |   Keywords:  systemd
Actual Points:            |  Parent ID:
       Points:            |
--------------------------+--------------------------------

Comment (by candrews):

 For the sake of clarity, here is the complete tor.service suggested by and
 currently used by Gentoo:

 {{{
 [Unit]
 Description=The Onion Router

 [Service]
 ExecStartPre=/usr/bin/tor --verify-config -f /etc/tor/torrc
 ExecStart=/usr/bin/tor --RunAsDaemon 0 -f /etc/tor/torrc
 ExecReload=/bin/kill -HUP $MAINPID
 KillSignal=SIGINT
 TimeoutStopSec=32
 LimitNOFILE=30000

 # Hardening options:
 CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
 PrivateTmp = yes
 PrivateDevices = yes
 ProtectHome = yes
 ProtectSystem = full
 NoNewPrivileges = yes

 [Install]
 WantedBy=multi-user.target
 }}}

 The timeout of 32 seconds was chosen to ensure that the daemon receives a
 SIGNINT and after that has 30 seconds to gracefully close connections.
 After that a SIGTERM is sent with another 32 seconds. Finally a SIGKILL.
 This is more than the usual systemd default - but ensures that extremely
 short user overrides in /etc/systemd/system.conf are overruled.
 Gentoo used LimitNOFILE=30000 because that's what the sysvinit script they
 have uses - but they don't care if it's 32768 or 30000 so whatever Tor
 wants is good.

 Hopefully we can get these changes upstream and Tor and all its distros
 win - thanks again!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13805#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs