tor not starting with NoNewPrivileges = yes (systemd)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, I'm currently preparing/testing a systemd unit file (#14995) for debian (wheezy-backports/systemd 204) based on the one shipped by tor [1]. It does not work yet, and although the 'fix' would be easy - simply remove: NoNewPrivileges = yes I'd like to hear from you before removing such a security feature. Does tor require new privileges to work? It actually fails in two instances: 1) before actually starting the tor daemon (--verify-config): Process: 2844 ExecStartPre=/usr/bin/tor -f /etc/tor/torrc - --verify-config (code=exited, status=227/NO_NEW_PRIVILEGES) 2) and when actually starting the daemon thanks, Nusenu I'm testing with 0.2.5.10-1~d70.wheezy minimal test torrc used: User debian-tor DataDirectory /var/lib/tor Log debug file /var/log/tor/log [1] https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in#n25 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVCE4hAAoJEFv7XvVCELh0AsMP/2DhEt+oLcSyN0w5pN6iyy2B O3WI+k4ZpC+OVKtRdQPcdmiCodo4So70ZGN3qEJKDTVLHW1YFn2p7z0a57OvYvkA SfQEy6yilQ1cUUMYUNj34WOdsq/tKDSmWQnJRvSUkdt1G2/WUJ14t0NRdR0KIzy0 bFQUYSkp2mnal8GpAldhx5q8P7zRlnf/fJC2gsQMJEEtPFwTGAl++cZ1mvuf00zk TsLo0L4BJ4EkAA4txJ8aihbYVZI0mJn2rWSc9OHVElNNiSYN2+d1k3bhCZHY/K2N yFnYY1lqoBcpmHakSOs2NqJx7arSMZY59oFR4Z9qBK+bpFQohzwOmV47Qfj8vahV CkDEIlh9OAYn59MahsBGJFMl/lSEVSAD60ZcTb3tveJEDSFtBJx9ey0P21MTlukh b+JUjc28UmNxLwHz/2bpe4+RZ0qKY2g+NnlbupNU+FUZGH9aiAxvpVKzFcxwvh6n wFiiRnQ8wWMZSMB5iOvltjt8jtxy2cvLrDypbsyEI28CdTuqAD+V0DrAn91Qyd2G aQwW+XkplwgiX8lVS8pno8P+EpAEoN1av8R2IVayN4zsp/IkgTff2W6GzTm4jQIB eL3vJz5OaK8q32wABNIMq7kaKs2O8VLbuxilZMDb0dmSozTQwNztpUsJFTiOZpbG yJllYQDwN3VuDBO9QXGY =osrb -----END PGP SIGNATURE-----
Could you please put Log debug /tmp/tor-startup.log in your torrc, try to start the daemon with NoNewPrivileges=yes, and then post the contents of /tmp/tor-startup.log ? We need to know exactly how it's failing. (We might actually need you to run it under `strace`, even.) zw
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello Zack, thanks for your answer. Zack Weinberg:
Could you please put
Log debug /tmp/tor-startup.log
I had:
Log debug file /var/log/tor/log but it is not being written to.
(I disabled ExecStartPre for now).
in your torrc, try to start the daemon with NoNewPrivileges=yes, and then post the contents of /tmp/tor-startup.log ? We need to know exactly how it's failing. (We might actually need you to run it under `strace`, even.)
It is a bit tricky environment to run strace, how would you go about it? If anyone wants to try here is the unit file: (use it with the torrc file from the initial email) - ------------------------------------ [Unit] Description = Anonymizing overlay network for TCP After = syslog.target network.target nss-lookup.target [Service] Type = simple #ExecStartPre = /usr/bin/tor -f /etc/tor/torrc --verify-config ExecStart = /usr/bin/tor -f /etc/tor/torrc --runasdaemon 0 ExecReload = /bin/kill -HUP ${MAINPID} KillSignal = SIGINT TimeoutSec = 30 Restart = on-failure WatchdogSec = 1m LimitNOFILE = 32768 # Hardening PrivateTmp = yes ReadOnlyDirectories = / ReadWriteDirectories = /var/lib/tor ReadWriteDirectories = /var/log/tor NoNewPrivileges = yes CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE # not supported in wheezy-backports (systemd 204) #PrivateDevices = yes #ProtectHome = yes #ProtectSystem = full [Install] WantedBy = multi-user.target - ------------------------------------ -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVCFyHAAoJEFv7XvVCELh0WlEP/RvKP1vfHfCWVikDg7Cnk3gN h1MB7l5/blHHC25PRwXYBWaMWa2ZxZ6mjYtpEnWOXt9o83GBFIeL36a29HZb/kR+ YtVIJT4xoQDSidqRrhuwDtafIsKa4CaigPG9ugyCpRRRNPlIbGvN82KX/H39gKsv IrL8KxNL1i4PqqGMPNZQfJjYAWBYxO6NdGAm4G86KKaTFEeFt3Zb2LDoxeGVrB/R kudYokCuT8aIz8tQWTaVLm4KPgp967AXunaICFKxZ4yqEuIxvAz9njUTAMPuPFWN gS30iwdJ1jX9ZQKup8HQ2i6SKo2hYrfmxZbxA9mjnHXo2viYgnLRc3qtOLGyG1ru Sy9SlDrT496qEbD0yPVhoegrF4YMTkMAuHys1PJeTqP4CN3ZiNHSmEIkXlWHdHSr vYM/WZV4Snxh1c5qXu0JIvVGQH0e94XvC6Fh0/TQdk11YN9ZvJCQXGuP1Nao5NCj 5rzkemaB6SHLewQ3GiOi7bbiYEOTFqp+Sd5uVsraDKfHkawmaJuhTUm9UQgs90Rq N9ayn4U9P4N0GoY4ANDLJz3IQm48OUID4TISpuL5Kdda7sfjmu8KyRL/ydZArLuL raMNKSN0FPuw5Dw7UxiO1rBh/6vSMdMAU1VVBnMsq/eKsVLCzITke3/niowrx4hx 4eFuD2gDTXfymaKpsW0n =OF1X -----END PGP SIGNATURE-----
On Tue, Mar 17, 2015 at 12:55 PM, Nusenu <nusenu@openmailbox.org> wrote:
I had:
Log debug file /var/log/tor/log but it is not being written to.
This is *probably* because one of the missing privileges is the ability to write to files in /var/log/tor. Try `Log debug stderr` instead -- you'll have to fish the logs out of systemd's journal, but I *think* it should keep a complete transcript.
It is a bit tricky environment to run strace, how would you go about it?
ExecStart = /usr/bin/strace -f /usr/bin/tor -f /etc/tor/torrc --runasdaemon 0 seems like it ought to work (again, the trace will get written to the journal) zw
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Zack Weinberg:
On Tue, Mar 17, 2015 at 12:55 PM, Nusenu <nusenu@openmailbox.org> wrote:
I had:
Log debug file /var/log/tor/log but it is not being written to.
This is *probably* because one of the missing privileges is the ability to write to files in /var/log/tor. Try `Log debug stderr` instead -- you'll have to fish the logs out of systemd's journal, but I *think* it should keep a complete transcript.
It is a bit tricky environment to run strace, how would you go about it?
ExecStart = /usr/bin/strace -f /usr/bin/tor -f /etc/tor/torrc --runasdaemon 0
seems like it ought to work (again, the trace will get written to the journal)
after running systemd in debug mode and having a look at the systemd debug log I had a wild guess that this is actually a systemd issue. Running the same thing on a jessie/systemd 215 - works. Sorry for the noise, and thanks for your help nonetheless! -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVCGsKAAoJEFv7XvVCELh0CHMP/2dB792xRPnI5Nw4zOi9VuUM WuFAz0AWw2acdsEUZ4s7YjY9nmzxTukgN4LbsX8rTeyZ59AxjVtNdOtcGjF9SI1u Vq9MtCRYCk2grjlsh7M0IY7vN7jdJnngsfZWQYdPWsWVFRZI/u98aGN6N0PP37Vd YQ+bfAgsgtngpqfWBLp1+YZ3AeGjlV6qsiA+olAHvNbUBweR8yHeRyPm/fPKbL2w Iz3j89hohywWNOIblk0e5N8uvNdHULiQCOvCGpafIbHY3sQv3YKdCOgQyNk8BDT0 97VaOMjNX4hySk9vtLqa3Y09F4ruG+PkifrJe558gVlee+EplduIveWD9gThaeaE 3khXw3fUXTG5DiJl6MgUIz6kaRwo7CH7mzd7x58h3q2IoFf5ux4eR6jVgyV1UA62 Z8Ziu9ChNia2oaeRABWKy9Oko7rd+1qr9TsO6wYT7VLz/v8CtIF5qC9P1iJwbbkH mT6O2Gdvz8hafZt7XtqkA9TaDggkjR321stpwO6NjHCHWAv0bRXoqKbZXoNKvomF nixrrox3jk0Fkwm5JtWq87v9DNPT4aF2ivGzeLCHAoVIIuUeiCRTn1o62IAC5DSz DIWvZ0X+odTcKtU9GaTdmQLvyLVwhbN6LUJkFHdsgHT6npsXaGNUBiLfLpK+pSaS cJmMN4ahtHmNjhdMBts3 =xXvu -----END PGP SIGNATURE-----
participants (2)
-
Nusenu -
Zack Weinberg