[tor-commits] [community/staging] the systemd bypass advice applies only if setcap

hiro at torproject.org hiro at torproject.org
Sun Mar 21 19:17:30 UTC 2021 

commit 935df8b1f5754870c720d6ac8b1e1ab3fce55e97
Author: Roger Dingledine <arma at torproject.org>
Date:   Sun Sep 6 23:50:16 2020 -0400

    the systemd bypass advice applies only if setcap
    
    In its current location, the paragraph implies that you need
    to turn off NoNewPrivileges in order to run obfsproxy on any port,
    and I think you only need to run it if you're using a low port.
---
 .../relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr b/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
index 2633204..c820d2c 100644
--- a/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
+++ b/content/relay-operations/technical-setup/bridge/debian-ubuntu/contents.lr
@@ -55,12 +55,12 @@ Don't forget to change the `ORPort`, `ServerTransportListenAddr`, `ContactInfo`,
 
   `sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy`
 
+  To work around systemd hardening, you will also need to set `NoNewPrivileges=no` in `/lib/systemd/system/tor at default.service` and `/lib/systemd/system/tor at .service` and then run `systemctl daemon-reload`. For more details, see [ticket 18356](https://gitlab.torproject.org/tpo/core/tor/-/issues/18356).
+
 * Note that both Tor's OR port and its obfs4 port must be reachable.
   If your bridge is behind a firewall or NAT, make sure to open both ports.
   You can use [our reachability test](https://bridges.torproject.org/scan/) to see if your obfs4 port is reachable from the Internet.
 
-You will also need to set `NoNewPrivileges=no` in `/lib/systemd/system/tor at default.service` and `/lib/systemd/system/tor at .service` and then run `systemctl daemon-reload`. (see [bug #18356](https://trac.torproject.org/projects/tor/ticket/18356))
-
 ### 4. Restart tor
 
 `systemctl restart tor`

More information about the tor-commits mailing list