[tor-bugs] #13805 [Tor]: Improve hardening in tor.service
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Nov 21 16:22:00 UTC 2014
#13805: Improve hardening in tor.service
----------------------+---------------------
Reporter: candrews | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor | Version:
Keywords: systemd | Actual Points:
Parent ID: | Points:
----------------------+---------------------
I suggest that tor.service's hardening implementation be changed. These
lines would be replaced:
{{{
[Service]
DeviceAllow = /dev/null rw
DeviceAllow = /dev/urandom r
InaccessibleDirectories = /home
ReadOnlyDirectories = /
ReadWriteDirectories = /var/lib/tor
ReadWriteDirectories = /var/log/tor
ReadWriteDirectories = /var/run/tor
ReadWriteDirectories = /proc
}}}
With these lines:
{{{
PrivateDevices = yes
ProtectHome = yes
ProtectSystem = full
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
}}}
Using PrivateDevices instead of DeviceAllow's is more secure as it create
a totally separate /dev as well as removing the CAP_MKNOD capability.
ProtectHome makes /home inaccessible, equivalent to
"InaccessibleDirectories = /home" but (arguably) more comprehensible.
ProtectSystem=full make /usr and /etc read only.
CapabilityBoundingSet reduces the process capability to just what it
needs.
See http://www.freedesktop.org/software/systemd/man/systemd.exec.html
This discussion was started at
https://bugs.gentoo.org/show_bug.cgi?id=529212 and the suggestion to use
the higher level constructs was made by the Gentoo systemd team.
For historical reference, tor.service was added in #8368
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13805>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list