[tor-bugs] #19759 [Core Tor/Tor]: systemd tor.service hardening: add MemoryDenyWriteExecute=true
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 27 01:27:58 UTC 2016
#19759: systemd tor.service hardening: add MemoryDenyWriteExecute=true
------------------------------+---------------------
Reporter: candrews | Owner:
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Core Tor/Tor | Version:
Severity: Normal | Keywords: systemd
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
------------------------------+---------------------
In systemd 231, the MemoryDenyWriteExecute option was added:
A new service setting MemoryDenyWriteExecute= has been added,
taking
a boolean value. If turned on, a service may no longer create
memory
mappings that are writable and executable at the same time. This
enhances security for services where this is enabled as it
becomes
harder to dynamically write and then execute memory in exploited
service processes. This option has been enabled for all of
systemd's
own long-running services.
https://lists.freedesktop.org/archives/systemd-devel/2016-July/037220.html
Can you please add:
{{{
MemoryDenyWriteExecute=true
}}}
to https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in
in the [Service] section?
Note that systemd < 231 will simply ignore this unknown option so there is
no backwards compatibility concern.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19759>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list