commit 0a329a7a05199d3d0ec21e072f91a2213b8fc7b8 Merge: 7983e00 6632a73 Author: Nick Mathewson nickm@torproject.org Date: Mon Jul 20 11:01:58 2015 -0400
Merge remote-tracking branch 'public/bug16162_026'
changes/bug16162 | 5 +++++ contrib/dist/tor.service.in | 44 +++++++++++++++++++++---------------------- 2 files changed, 27 insertions(+), 22 deletions(-)
diff --cc contrib/dist/tor.service.in index ae339ff,58a74b7..9c1a255 --- a/contrib/dist/tor.service.in +++ b/contrib/dist/tor.service.in @@@ -1,35 -1,29 +1,35 @@@ +# tor.service -- this systemd configuration file for Tor sets up a +# relatively conservative, hardened Tor service. You may need to +# edit it if you are making changes to your Tor configuration that it +# does not allow. Package maintainers: this should be a starting point +# for your tor.service; it is not the last point. + [Unit] - Description = Anonymizing overlay network for TCP - After = syslog.target network.target nss-lookup.target + Description=Anonymizing overlay network for TCP + After=syslog.target network.target nss-lookup.target
[Service] - Type = notify - NotifyAccess = all - ExecStartPre = @BINDIR@/tor -f @CONFDIR@/torrc --verify-config - ExecStart = @BINDIR@/tor -f @CONFDIR@/torrc - ExecReload = /bin/kill -HUP ${MAINPID} - KillSignal = SIGINT - TimeoutSec = 30 - Restart = on-failure - WatchdogSec = 1m - LimitNOFILE = 32768 + Type=notify + NotifyAccess=all + ExecStartPre=@BINDIR@/tor -f @CONFDIR@/torrc --verify-config + ExecStart=@BINDIR@/tor -f @CONFDIR@/torrc + ExecReload=/bin/kill -HUP ${MAINPID} + KillSignal=SIGINT + TimeoutSec=30 + Restart=on-failure + WatchdogSec=1m + LimitNOFILE=32768
# Hardening - PrivateTmp = yes - PrivateDevices = yes - ProtectHome = yes - ProtectSystem = full - ReadOnlyDirectories = / - ReadWriteDirectories = -@LOCALSTATEDIR@/lib/tor - ReadWriteDirectories = -@LOCALSTATEDIR@/log/tor - NoNewPrivileges = yes - CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE + PrivateTmp=yes + PrivateDevices=yes + ProtectHome=yes + ProtectSystem=full + ReadOnlyDirectories=/ + ReadWriteDirectories=-@LOCALSTATEDIR@/lib/tor + ReadWriteDirectories=-@LOCALSTATEDIR@/log/tor + NoNewPrivileges=yes + CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
[Install] - WantedBy = multi-user.target + WantedBy=multi-user.target