[tor-bugs] #20930 [- Select a component]: Use new systemd hardening options

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Dec 8 13:38:26 UTC 2016 

#20930: Use new systemd hardening options
--------------------------------------+-----------------
     Reporter:  serafean              |      Owner:
         Type:  enhancement           |     Status:  new
     Priority:  Medium                |  Milestone:
    Component:  - Select a component  |    Version:
     Severity:  Normal                |   Keywords:
Actual Points:                        |  Parent ID:
       Points:                        |   Reviewer:
      Sponsor:                        |
--------------------------------------+-----------------
 Using systemd 232, I discovered some more hardening options. This is my
 working systemd unit file.
 I'd say the most interesting one is "PrivateUsers" and "PrivateDevices"
 Note that I start tor directly as the tor user, listening on ports > 1024,
 because CAP_NET_BIND_SERVICE isn't enough to listen on ports < 1024.
 Setting this capability is enough to start dnsmasq as non-root (listening
 on correct ports), so it is something within tor that breaks.
 AFAIK setting these is safe even for older systems since systemd ignores
 unknown keywords.

 {{{
 [Unit]
 Description=The Onion Router
 After=network-online.target

 [Service]
 User=tor
 Group=tor
 ExecStartPre=/usr/bin/tor --verify-config -f /etc/tor/torrc
 ExecStart=/usr/bin/tor  --RunAsDaemon 0 -f /etc/tor/torrc
 ExecReload=/bin/kill -HUP $MAINPID
 KillSignal=SIGINT
 TimeoutStopSec=32
 LimitNOFILE=32768

 # Hardening options:
 #CapabilityBoundingSet = CAP_NET_BIND_SERVICE
 #AmbientCapabilities = CAP_NET_BIND_SERVICE
 # Capabilities aren't enough to have ports < 1024
 RuntimeDirectory=tor
 RuntimeDirectoryMode=0700 # Tor is happy with this default mask
 ReadWriteDirectories=/var/lib/tor/
 PrivateTmp = yes
 PrivateUsers = yes
 ProtectKernelTunables = yes
 ProtectControlGroups = yes
 ProtectKernelModules = yes
 PrivateDevices = yes
 ProtectHome = yes
 ProtectSystem = strict
 NoNewPrivileges = yes

 [Install]
 WantedBy=multi-user.target
 }}}

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20930>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list