[tor-bugs] #19759 [Core Tor/Tor]: systemd tor.service hardening: add MemoryDenyWriteExecute=true

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 27 01:27:58 UTC 2016


#19759: systemd tor.service hardening: add MemoryDenyWriteExecute=true
------------------------------+---------------------
     Reporter:  candrews      |      Owner:
         Type:  enhancement   |     Status:  new
     Priority:  Medium        |  Milestone:
    Component:  Core Tor/Tor  |    Version:
     Severity:  Normal        |   Keywords:  systemd
Actual Points:                |  Parent ID:
       Points:                |   Reviewer:
      Sponsor:                |
------------------------------+---------------------
 In systemd 231, the MemoryDenyWriteExecute option was added:

           A new service setting MemoryDenyWriteExecute= has been added,
 taking
           a boolean value. If turned on, a service may no longer create
 memory
           mappings that are writable and executable at the same time. This
           enhances security for services where this is enabled as it
 becomes
           harder to dynamically write and then execute memory in exploited
           service processes. This option has been enabled for all of
 systemd's
           own long-running services.
 https://lists.freedesktop.org/archives/systemd-devel/2016-July/037220.html

 Can you please add:
 {{{
 MemoryDenyWriteExecute=true
 }}}
 to https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in
 in the [Service] section?

 Note that systemd < 231 will simply ignore this unknown option so there is
 no backwards compatibility concern.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19759>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list