[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [community/master] the systemd bypass advice applies only if setcap

To: tor-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [community/master] the systemd bypass advice applies only if setcap
From: phw@xxxxxxxxxxxxxx
Date: Thu, 19 Nov 2020 01:42:47 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 18 Nov 2020 20:42:56 -0500
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Roger Dingledine <arma@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit 935df8b1f5754870c720d6ac8b1e1ab3fce55e97
Author: Roger Dingledine <arma@xxxxxxxxxxxxxx>
Date:   Sun Sep 6 23:50:16 2020 -0400

    the systemd bypass advice applies only if setcap
    
    In its current location, the paragraph implies that you need
    to turn off NoNewPrivileges in order to run obfsproxy on any port,
    and I think you only need to run it if you're using a low port.
---
 .../relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr b/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
index 2633204..c820d2c 100644
--- a/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
+++ b/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
@@ -55,12 +55,12 @@ Don't forget to change the `ORPort`, `ServerTransportListenAddr`, `ContactInfo`,
 
   `sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy`
 
+  To work around systemd hardening, you will also need to set `NoNewPrivileges=no` in `/lib/systemd/system/tor@default.service` and `/lib/systemd/system/tor@.service` and then run `systemctl daemon-reload`. For more details, see [ticket 18356](https://gitlab.torproject.org/tpo/core/tor/-/issues/18356).
+
 * Note that both Tor's OR port and its obfs4 port must be reachable.
   If your bridge is behind a firewall or NAT, make sure to open both ports.
   You can use [our reachability test](https://bridges.torproject.org/scan/) to see if your obfs4 port is reachable from the Internet.
 
-You will also need to set `NoNewPrivileges=no` in `/lib/systemd/system/tor@default.service` and `/lib/systemd/system/tor@.service` and then run `systemctl daemon-reload`. (see [bug #18356](https://trac.torproject.org/projects/tor/ticket/18356))
-
 ### 4. Restart tor
 
 `systemctl restart tor`

_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [donate-static/staging] Enable counter
Next by Author: [tor-commits] [tor-browser/tor-browser-83.0-10.0-1] Bug 16620: Clear window.name when no referrer sent
Previous by thread: [tor-commits] [community/master] Fix htaccess issue #171
Next by thread: [tor-commits] [tpo/master] Deprecate old Tor Browser version
Index(es):
- Author
- Thread