Bug#847477: Bug#800385: tor: systemd .service granting too much capabilities?

Wed, 04 Jan 2017 01:15:41 -0800 

On Wed, 04 Jan 2017, Laurent Bigonville wrote:

> reopen 800385

Don't, let's take it to #847477.

> >># Hardening
> >>AppArmorProfile=system_tor
> >>NoNewPrivileges=yes
> >>PrivateTmp=yes
> >>PrivateDevices=yes
> >>ProtectHome=yes
> >>ProtectControlGroups=yes #added
> >>ProtectKernelTunables=yes #added
> >Maybe.
> >
> >>#ProtectSystem=full
> >>ProtectSystem=strict
> >Maybe.  That's new in sid/testing.
> >
> >>#ReadOnlyDirectories=/
> 
> I understand better why you choose the ReadOnlyDirectories=/ instead of
> ProtectSystem=strict now
> 
> >>#ReadWriteDirectories=-/proc
> >Maybe.
> >
> >>ReadWriteDirectories=-/var/lib/tor
> >>ReadWriteDirectories=-/var/log/tor
> >>#ReadWriteDirectories=-/var/run
> >>ReadWriteDirectories=-/var/run/tor
> >Can we still create the directory if it isn't there yet?
> 
> Yes it's working, if I'm commenting it out completely the daemon fails. I
> think that it only apply to the main process and not the Pre one (maybe?)

Does it also work if /var/run/tor is *not* there yet when you try to
start the service?  At least at some point in history the Pre commands
were subject to the same restrictions.

> >>#CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE 
> >>CAP_DAC_OVERRIDE
> >>CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
> >No, that breaks hidden services.  See https://bugs.debian.org/847598
> 
> I see. Do you know what were the owner/group of /var/lib/tor/hidden_service/
> in that bug?

They were debian-tor:, go-rwx, but the check is run when tor is still
root, thus DAC_OVERRIDE is required.

> >>torify wget http://www.perdu.com returns the expected content
> >I think other useful tests would be
> >  - can Tor start when a hidden service is configured?
> >  - can Hidden services read/write to backend sockets in
> >    /var/lib/tor-onion-sockets/?
> >  - does transparent proxying still work (TransPort)?
> >  - can we log to syslog?
> 
> I'll try to see when I can test that. Don't expect a reply tomorrow though.
> 
> For the syslog part, I see stuffs being logged in journald, so it's OK I
> guess.

Don't guess, test :)

-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/

Reply via email to