[tor-commits] [tor/master] systemd unit file: only allow tor to write to /var/lib/tor and /var/log/tor (#12751).
nickm at torproject.org
nickm at torproject.org
Wed Sep 3 17:30:18 UTC 2014
commit c9f30c4512fa6409eaf829c8448c8e086271c94f
Author: intrigeri <intrigeri at boum.org>
Date: Wed Aug 27 03:05:12 2014 +0000
systemd unit file: only allow tor to write to /var/lib/tor and /var/log/tor (#12751).
The rest of the filesystem is accessible for reading only. Still, quoting
systemd.exec(5):
Note that restricting access with these options does not extend to submounts
of a directory that are created later on.
---
contrib/dist/tor.service.in | 3 +++
1 file changed, 3 insertions(+)
diff --git a/contrib/dist/tor.service.in b/contrib/dist/tor.service.in
index 2fe51c7..8c70ccc 100644
--- a/contrib/dist/tor.service.in
+++ b/contrib/dist/tor.service.in
@@ -19,6 +19,9 @@ PrivateTmp = yes
DeviceAllow = /dev/null rw
DeviceAllow = /dev/urandom r
InaccessibleDirectories = /home
+ReadOnlyDirectories = /
+ReadWriteDirectories = @LOCALSTATEDIR@/lib/tor
+ReadWriteDirectories = @LOCALSTATEDIR@/log/tor
[Install]
WantedBy = multi-user.target
More information about the tor-commits
mailing list