what capabilities does tor need for reloading?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi, 'systemctl reload tor' fails due to hardening restrictions in tor's systemd service file [1]: CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE Removing that line "solves" the reload issue. Reloading with that line does not generate any tor debug loglines. What capability would one have to add to the list to make it work with CapabilityBoundingSet? thanks, Nusenu testing with: tor 0.2.6.4, jessie/systemd 215 [1] https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in#n26 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVCVA7AAoJEFv7XvVCELh0bWIQAKfDZdhwrcWzwOHEP/o3FMoa BTkMxjHdEDezlaHd61/XWHC1cYNOi6kqe/xGL1HRMtDwl09tbn3lq0Vty9P9hBP5 ucLaS1Izz0w7VprEd4ZK+/G4pV8Ht6Kjd7LSaV8RsjdCfK9g5WaI/IDIVGbYKUnC NVJxY+XCxZsvMmkfCUo1un6yZ/p0eQEfksDwtDvf7EupIy3o5wYJhM1bcvVzm/3H UenP8t8VBb7TVOBRuZUyMzS173db/SKp2tY1IOiUktzyJqzzck8gPJvQ4l8DoeqM E2yVr+Qvex/IXRx379sJTyBJt9xthC9BS91uUJA0G3dbYVSvRoUN5XDjaqYztSN3 ctkjT3cocLDu43EslGo/Egh+xWTMdnTvcaTIoLkD5IN4FWu3IrjWnG0gOOyNyPf5 F4UfCty5xn9ztb0y7Zf2GOliR9CnkSB8PIuMt4ManvrMGOwYPZw1KsGsc49UYadn XhEUj1uzf3FBZw2LmbiBR5lNGX2WanWt83EwkiH03MsBkouD60+D/RJ5UQ8pVEwm JHLBqbT2GtBCda3OIPec1kdh3P5TFF+aN9aC1HkVsYRwoUJtIjxPg3wkrOVCU4VF ZJVbqlVuJQn8/3GnphkQgt+jJqTl3b4Ttksu+omGJgYU2Wu42VNFvCFraeQ75q4J D1NinH/G/3I3KBYP+JNu =/eJ6 -----END PGP SIGNATURE-----
On Wed, Mar 18, 2015 at 6:15 AM, Nusenu <nusenu@openmailbox.org> wrote:
It probably depends on what's in your configuration. My first guess on how to find out would be to look to see if you can possibly use strace or gdb or something to figure out what system call is failing. You might need to temporarily add DisableDebuggerAttachment 0 to your configuration file to allow you to attach a debugger. cheers, -- Nick
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Nick, thanks for your answer.
torrc file while testing: User debian-tor DataDirectory /var/lib/tor Log debug file /var/log/tor/log RunAsDaemon 1 DisableDebuggerAttachment 0
strace output when I trigger the reload via systemctl: 2362 epoll_wait(3, 7f105298a7f0, 32, 99) = -1 EINTR (Interrupted system call) 2362 --- SIGINT {si_signo=SIGINT, si_code=SI_USER, si_pid=1, si_uid=0} --- 2362 sendto(4, 0x7fffe6bcbf57, 1, 0, NULL, 0) = 1 2362 rt_sigreturn() = -1 EINTR (Interrupted system call) 2362 --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=1, si_uid=0} --- 2362 epoll_wait(3, {?} 0x7f105298a7f0, 32, 54) = 1 2362 recvfrom(5, 0x7f10514bb500, 1024, 0, NULL, NULL) = 1 2362 recvfrom(5, 0x7f10514bb500, 1024, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable) 2362 write(7, 0x7fffe6bc9a40, 57) = 57 2362 open(0x7f10529933e0, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0600) = 10 2362 write(10, 0x7f105379ac10, 3662) = 3662 2362 close(10) = 0 2362 write(7, 0x7fffe6bc98c0, 96) = 96 2362 rename(0x7f10529933e0, 0x7f1052993200) = 0 2362 write(7, 0x7fffe6bc99c0, 80) = 80 2362 munmap(0x7f1051a06000, 1052672) = 0 2362 write(7, 0x7fffe6bc99c0, 82) = 82 2362 write(7, 0x7fffe6bc99f0, 84) = 84 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVCW/1AAoJEFv7XvVCELh0c8EP/RVNFNFdIieFMYZycf0IMReM TqtwOaWsGhkxzf3clXi9rECv0cis6Dvw+PROyPeMaQup/HSLaEwEpqmcKamyk8K2 pXrxVUOI4w8jkUymPMaZX5blnpuVmhPECCYTfkSi8AAbUC9Jl7qnKtu/r6JyoxKC NKf23Aoa0W4Wqn4KzXQff+5dpXUfyysE5r95mhh6z1xL+TfI+Th4IAUO6EsdgbB/ a/qRdtIu1bkKjiwHd6bBiY1ar1IH+GA8ud9QTAUXVkHHZ0w9w3GuEV8n4rP93QWf M+wi0LRnYsw0X3s+jyze811FYNzDfDXmzY27MqVhzZZzwUjqHgEOZQVvFUYaOe4C wTv/cAmj15Moo76dvthwRYeK6NweiS1pYh+qcZy+EGq4Ty57vUmqkmxLe51ylExM yCuJ1IOSC08UA0Ntk80cs/nC4xtSNxrh3P9zLNnzJQweLxUSK/S84PAg/l+CqE+Q 3WzO7CcQOkV8qR1gL2kP0NS1HDZyArfvOLRV6UdGCRCw//hKVACKTP5fh9Acx5Sw PqJIpVu5OMpmZxcBpuv5rhubzA3X3rwbmWqEFTOzL8K7SlxOPha4V/1RIHAOG6Qr /KVdl7EwQPY5gpSWdMHrZa+pnF9VNUv5x3c4VhEenlSUkq6fiBfrivmHWHIyTeSb MwagvB1k5o2aaH834ANm =ClGh -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
strace output when I trigger the reload via systemctl:
[...] sorry that output was actually not caused by the systemctl reload command, using strace I just found out that tor exits on its own and gets restarted by systemd's watchdog... ok more fun to debug systemd hardening ;) -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVCXKgAAoJEFv7XvVCELh0cMsQAJE/W+3ChKOFWzGWmnPQ5Vec kZ9WHqCiLmtSdJ56IrXS3KiYGp6SB+gYtywPxM6ftHoLfxvRN1sNPpaZiumB7G8x ATx82V+IfeIcd0BzaiOT8wObP43R5m0zQ9Uzz5wQqWV0uxRFKsQQJ3W//YJd0jpr h5pwDoymLUSzNeTZ2uK84cDZthmf/bp/kgqrV4OzIJYatLIsqEQuU6dnRsjMMqw7 mMmRTRt4w9oA1HHuX3xRA+0v+ivT5l0NZBWcLs2o9V2fMvaUcfOrBSS9a98Jf+7F XvRcWn7DvtsFRuLeBfFU8axFOBzNfJwPKJcz1dKqTPODQFc/60EpBr3CwQd7ZWZq SCyAzZFYWmBsFqXcoLbZCH2soglqtmhJ9ZEdUtJlLG/64Pm3Z++C9SaH41wv9Vgl T/j9yCWH/5rNS6zdkhzj3HjN1AblOeQpArRzPX5H2G5FZWab3rZO0Ws9sei1xWh3 0MLH3ykqVxlh35o5zIKNyHeXF6I4jTp3SDpcku/MNx4xq3O0t4vtkG/ldT5l1WGE Pat9YmrhOtoHlNmib7bktxihqM4MXveRBpRkt7sROXarA/4SNISuKGyeAOWGH2sH vPy7LXlnxzgYL25CJsdJJmB461U99NQGzQ2Zn1TDqaK2fBPYpOmI+FQuOJkfi3eH 9SxvFtOgWwobYx7OC0X+ =GC25 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
This configuration restricts not only the service (tor) but also the ExecReload commands (kill), so the somewhat obvious fix was to add "CAP_KILL". -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVCXaCAAoJEFv7XvVCELh0tdQP/2EVKAnufPJ2eJa2j5LyT8oA h0t0jsNZ19C9bbJMXsZhuzS97wtMzqWisWwKbtErdbtatoqXE2ZwL8+hnfTQ7mhQ O4b3tUZftUpKAaKvI49/Z1VmtbtWouuQu94ucKhPmi2K3RspQDmuSQSmqQiFo9xx wSBaak2DneRpNcMYlOLc4JN2VLLcsub/fKL8vW/cO63z5n87NmbAkGrcWCIfCyx8 YBu9VTijmWRvzEkPqcMmBa58R2yOBc5I7BSOPD8R4sTlotbE4CSipciHr/ja+G2Y 34K3yaVnCDI+lpGU0YVY3nLyTg/u/izjIG8zFodsOJh9NXBB40nDLbBm88sxjuhL gctzuV4AvC6rkQ7aWNRLQeFaxaeHoCa2EvvAS3rM1QTC+RVB+HNiiz4DA3wHuz7s arOu93GDhO7ix7+r9g1Uje1X2S5vKqhSNshx1pHVd/aRyDq7lCBgvBu6574FDuT/ T328b1hA0au7mU0LSOXofMEWZHSNYnYEdtAG2kRdBKmeeIa4IlawXxA+kAnx0D1/ QC4OvtE5DhLhnD7BPirHSCC8ju65d2LlpdjD4DER5+p27j83rwi0myIXM1/oD2CO d9lBTGyyc/sHfwRU7NkcXl5RWDq8IMDcbT8LLFdbQR0PYLGrSs5yvy9HXT/A5VMb TJKcrOXxblb3SRzlGSjr =i8ta -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
so the somewhat obvious fix was to add "CAP_KILL".
after reading: man capabilities:
Bypass permission checks for sending signals (see kill(2)). This includes use of the ioctl(2) KDSIGACCEPT operation.
I'm not entirely sure since that sounds like tor will be able to kill arbitrary processes. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVCXkBAAoJEFv7XvVCELh0MjoP+wdhNqQqNUeeP/FmqRRB3nq5 Vr7Pxt3Q/LkdkWj6KsdyGPrSoo1PNnmy8yYHcuBG+tFXfWeLvSE+UvBS39vs6/QL JDnDbzDasKggVspYCALUKfdcLFEV+LkcvV61ank2ogcNKUFsA47UDXDebV99akWo QtGWK3k49JLx6dPJ+ihMCSm0NNfJIO/Ra9zpXnxIh3vyC/RVi2SvOfQK/Wme4HYH BBAGkihnSPZ/55A/P9NQ7U18RDURhq7xj1hSYdwd7FrvGk+0TeOjnkv5xwYbwIxT KC5hJmF7ezk4XT5UjtHNXLWxgOQ5mMxJ9ZLyH2Jk/OhMvxVKaJdpNtmJyFMXuqZo a9XY0MAbcrrW/GArTT2sSJrYytDqRUsgQjaZw/jCj7oIL0TgfWQADFVSFY3YWvd/ 5LBQALq9pmgUmyoweSKpkaA4byGClBQjRQDb0gDUXW2oeaQiIFdhYE4PtHySP+Fl sx74Ygtj7tBqf0eKLe94ocTlA2koGU/GU3vNddAefTSjDwlXAnBXkzaxLYHwHiTf e7UEw+81Lp8AZ/Q0jO3S1awaKVgpYmmeUBZGdfwww/MJ21ziLBBaBVKofM/Ux1Qu AwVMuhBgLl06KXCNwlXY/ewZEKlgQtjCAzShvznJ9dEzThkTW/MASMwKUH32ATN0 p7tQyv6iI2cr9Gw2RdDE =M8+W -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 just for the record:
The proper 'fix' is: PermissionsStartOnly=yes REF: http://lists.freedesktop.org/archives/systemd-devel/2015-April/030404.html http://www.freedesktop.org/software/systemd/man/systemd.service.html#Permiss... -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJVQTOVAAoJEFv7XvVCELh0ceUP/14ip5/+6I022mYHuBgTwmkL 69EYtX4uaKb0hDCZAk+hGA1VgAlCwZD87zhXW6Tb42SLnhZ+XGmSg5NefG6MCO5D mKf39Habzj5eDAbyUYItQu7zYzJfgGO823KC19XTwfUjEfalCv7/D2Ra8eHYJRcX PL5cvNTyVpViKk9qW/f8rvZRar7Y4iqig4N5xe93eIf/dpLjpkfPlQhWg13zuoHW YohHSb5BC6+T3CFoIAycRYMSkkBk4KL6CF7q1MTtT1T/1mZlfbZ+ar6MZEfXI1q2 KL6NbdOWv/IIf5aGCAZ58E8RJGZKvoWiga00d8aMgRMASHd6Er93pzhpdF3y2MY9 E5//We2lb+GjDIXbrMNC2ZHsuKgDOFV773w+DJCq0z0BB2WL/X7XNmVxhq3/8h2F M6Sr0Wjazo4O2eEdE0DTNYrU91xAhfk5OuJWPxGQIU9knaqiiwWlxBCqWFJfuA1/ eiJy8sDumd9BzDtr5ewRswjZaZj4jTRYzH+owxnd8U00cImj17+4H6xjDJji8kXe cMDOMjxnnGX00PTCXLPLIoVCD//oBQUqcOhpsDP/Ga3O7lGFlynjVJbUYrjS0/lz cHxF0qX7XGtr0Bevik9xoq8bPomnoULKIfM0EjrD+0LAf3jwFK5Ne5PY+T1AsrdX Go85L9UdvUYUlZwRRTWX =7YTi -----END PGP SIGNATURE-----
participants (3)
-
Nick Mathewson -
Nusenu -
nusenu