[tor-dev] what capabilities does tor need for reloading?

Nusenu nusenu at openmailbox.org
Wed Mar 18 12:58:42 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

> 'systemctl reload tor' fails due to hardening restrictions in tor's
> systemd service file [1]:
> 
> CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE

This configuration restricts not only the service (tor) but also the
ExecReload commands (kill), so the somewhat obvious fix was to add
"CAP_KILL".
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJVCXaCAAoJEFv7XvVCELh0tdQP/2EVKAnufPJ2eJa2j5LyT8oA
h0t0jsNZ19C9bbJMXsZhuzS97wtMzqWisWwKbtErdbtatoqXE2ZwL8+hnfTQ7mhQ
O4b3tUZftUpKAaKvI49/Z1VmtbtWouuQu94ucKhPmi2K3RspQDmuSQSmqQiFo9xx
wSBaak2DneRpNcMYlOLc4JN2VLLcsub/fKL8vW/cO63z5n87NmbAkGrcWCIfCyx8
YBu9VTijmWRvzEkPqcMmBa58R2yOBc5I7BSOPD8R4sTlotbE4CSipciHr/ja+G2Y
34K3yaVnCDI+lpGU0YVY3nLyTg/u/izjIG8zFodsOJh9NXBB40nDLbBm88sxjuhL
gctzuV4AvC6rkQ7aWNRLQeFaxaeHoCa2EvvAS3rM1QTC+RVB+HNiiz4DA3wHuz7s
arOu93GDhO7ix7+r9g1Uje1X2S5vKqhSNshx1pHVd/aRyDq7lCBgvBu6574FDuT/
T328b1hA0au7mU0LSOXofMEWZHSNYnYEdtAG2kRdBKmeeIa4IlawXxA+kAnx0D1/
QC4OvtE5DhLhnD7BPirHSCC8ju65d2LlpdjD4DER5+p27j83rwi0myIXM1/oD2CO
d9lBTGyyc/sHfwRU7NkcXl5RWDq8IMDcbT8LLFdbQR0PYLGrSs5yvy9HXT/A5VMb
TJKcrOXxblb3SRzlGSjr
=i8ta
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list