[tor-bugs] #13805 [Tor]: Improve hardening in tor.service

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Nov 28 18:29:24 UTC 2014


#13805: Improve hardening in tor.service
--------------------------+--------------------------------
     Reporter:  candrews  |      Owner:  candrews
         Type:  defect    |     Status:  assigned
     Priority:  normal    |  Milestone:  Tor: 0.2.6.x-final
    Component:  Tor       |    Version:
   Resolution:            |   Keywords:  systemd
Actual Points:            |  Parent ID:
       Points:            |
--------------------------+--------------------------------

Comment (by candrews):

 I've put my changes on github, you can see them at:
 https://github.com/candrews/tor/blob/issue13805/contrib/dist/tor.service.in

 I'll stick to the hardening options and deal with the timeout stuff
 another time :-)

 Given what you've said, I think having both ProtectSystem=full and the
 ReadWriteDirectories restrictions makes the most sense as that would
 provide the security benefits of both. To fix the "cryptic error" problem,
 I think we can safely not error out if a directory doesn't exist, so I've
 prefixed the directories in ReadWriteDirectories with a "-" as described
 at http://www.freedesktop.org/software/systemd/man/systemd.exec.html

 However, I'm unclear as to why the current combination of
 ReadOnlyDirectories and ReadWriteDirectories are not compatible with the
 AppArmorProfile. Perhaps that's something that we can fix? For my
 curiosity, is there an bug report about that problem in AppArmor, Debian,
 systemd, or elsewhere that I could check out?

 Regarding CapabilityBoundingSet, I'm using it on my system now without a
 problem. I looked over http://linux.die.net/man/7/capabilities and none of
 the capabilities except for CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
 seem like they should be used by Tor. I'm using systemd 217 and Sid has
 215, and I'm using Tor 0.2.6.1-alpha, so these may be significant
 differences as well.

 I just tried it with obfsproxy and it seems to work fine.

 Finally, when I build Tor (and this is noted in the Gentoo ticket - it's
 not just me), the ReadWriteDirectories entries in tor.service end up
 looking like this:
 ReadWriteDirectories = /var/lib/lib/tor
 I'm not an autotools/make expert, so I don't know why that is... it looks
 like @LOCALSTATEDIR@ is expanding to "/var/lib" but should expand to just
 "/var". Is that something you can help with?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13805#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list