[tor-dev] tor not starting with NoNewPrivileges = yes (systemd)
Nusenu
nusenu at openmailbox.org
Tue Mar 17 16:55:36 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello Zack,
thanks for your answer.
Zack Weinberg:
> Could you please put
>
> Log debug /tmp/tor-startup.log
I had:
>> Log debug file /var/log/tor/log
but it is not being written to.
(I disabled ExecStartPre for now).
> in your torrc, try to start the daemon with NoNewPrivileges=yes,
> and then post the contents of /tmp/tor-startup.log ? We need to
> know exactly how it's failing. (We might actually need you to run
> it under `strace`, even.)
It is a bit tricky environment to run strace, how would you go about it?
If anyone wants to try here is the unit file:
(use it with the torrc file from the initial email)
- ------------------------------------
[Unit]
Description = Anonymizing overlay network for TCP
After = syslog.target network.target nss-lookup.target
[Service]
Type = simple
#ExecStartPre = /usr/bin/tor -f /etc/tor/torrc --verify-config
ExecStart = /usr/bin/tor -f /etc/tor/torrc --runasdaemon 0
ExecReload = /bin/kill -HUP ${MAINPID}
KillSignal = SIGINT
TimeoutSec = 30
Restart = on-failure
WatchdogSec = 1m
LimitNOFILE = 32768
# Hardening
PrivateTmp = yes
ReadOnlyDirectories = /
ReadWriteDirectories = /var/lib/tor
ReadWriteDirectories = /var/log/tor
NoNewPrivileges = yes
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
# not supported in wheezy-backports (systemd 204)
#PrivateDevices = yes
#ProtectHome = yes
#ProtectSystem = full
[Install]
WantedBy = multi-user.target
- ------------------------------------
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJVCFyHAAoJEFv7XvVCELh0WlEP/RvKP1vfHfCWVikDg7Cnk3gN
h1MB7l5/blHHC25PRwXYBWaMWa2ZxZ6mjYtpEnWOXt9o83GBFIeL36a29HZb/kR+
YtVIJT4xoQDSidqRrhuwDtafIsKa4CaigPG9ugyCpRRRNPlIbGvN82KX/H39gKsv
IrL8KxNL1i4PqqGMPNZQfJjYAWBYxO6NdGAm4G86KKaTFEeFt3Zb2LDoxeGVrB/R
kudYokCuT8aIz8tQWTaVLm4KPgp967AXunaICFKxZ4yqEuIxvAz9njUTAMPuPFWN
gS30iwdJ1jX9ZQKup8HQ2i6SKo2hYrfmxZbxA9mjnHXo2viYgnLRc3qtOLGyG1ru
Sy9SlDrT496qEbD0yPVhoegrF4YMTkMAuHys1PJeTqP4CN3ZiNHSmEIkXlWHdHSr
vYM/WZV4Snxh1c5qXu0JIvVGQH0e94XvC6Fh0/TQdk11YN9ZvJCQXGuP1Nao5NCj
5rzkemaB6SHLewQ3GiOi7bbiYEOTFqp+Sd5uVsraDKfHkawmaJuhTUm9UQgs90Rq
N9ayn4U9P4N0GoY4ANDLJz3IQm48OUID4TISpuL5Kdda7sfjmu8KyRL/ydZArLuL
raMNKSN0FPuw5Dw7UxiO1rBh/6vSMdMAU1VVBnMsq/eKsVLCzITke3/niowrx4hx
4eFuD2gDTXfymaKpsW0n
=OF1X
-----END PGP SIGNATURE-----
More information about the tor-dev
mailing list