Le 04/01/17 à 10:13, Peter Palfrader a écrit :
On Wed, 04 Jan 2017, Laurent Bigonville wrote:
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
#ReadWriteDirectories=-/var/run
ReadWriteDirectories=-/var/run/tor
Can we still create the directory if it isn't there yet?
Yes it's working, if I'm commenting it out completely the daemon fails. I
think that it only apply to the main process and not the Pre one (maybe?)
Does it also work if /var/run/tor is *not* there yet when you try to
start the service? At least at some point in history the Pre commands
were subject to the same restrictions.
Yes I tried that, deleting the /var/run/tor directory completely and
then restarting the service and the directory is created. A side note is
that we should maybe use a tmpfiles config here, that way is more
"systemd'ish" and then we are sure the directory is created at boot.
#CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
CAP_DAC_OVERRIDE
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
No, that breaks hidden services. See https://bugs.debian.org/847598
I see. Do you know what were the owner/group of /var/lib/tor/hidden_service/
in that bug?
They were debian-tor:, go-rwx, but the check is run when tor is still
root, thus DAC_OVERRIDE is required.
OK
torify wget http://www.perdu.com returns the expected content
I think other useful tests would be
- can Tor start when a hidden service is configured?
- can Hidden services read/write to backend sockets in
/var/lib/tor-onion-sockets/?
- does transparent proxying still work (TransPort)?
- can we log to syslog?
I'll try to see when I can test that. Don't expect a reply tomorrow though.
For the syslog part, I see stuffs being logged in journald, so it's OK I
guess.
Don't guess, test :)