[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-dev] what capabilities does tor need for reloading?
On Wed, Mar 18, 2015 at 6:15 AM, Nusenu <nusenu@xxxxxxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi,
>
> 'systemctl reload tor'
> fails due to hardening restrictions in tor's systemd service file [1]:
>
> CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
>
> Removing that line "solves" the reload issue.
> Reloading with that line does not generate any tor debug loglines.
>
> What capability would one have to add to the list to make it work with
> CapabilityBoundingSet?
It probably depends on what's in your configuration. My first guess
on how to find out would be to look to see if you can possibly use
strace or gdb or something to figure out what system call is failing.
You might need to temporarily add DisableDebuggerAttachment 0 to your
configuration file to allow you to attach a debugger.
cheers,
--
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev