PS: Here is a patch for the backports script. I was unable to test it, as the script hardcodes your directory layout.
On Sun, Dec 24, 2017 at 03:36:59PM +0100, Nicolas Braud-Santoni wrote: > Package: tor > Version: 0.3.2.8-rc-1 > Severity: normal > Tags: patch stretch buster sid > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi weasel, > > Here is a patch for the systemd unit files that we ship with tor. > > It prevents tor from having read-write access to /var/run, and from having > access to /var/log (except for tor@default, which writes logs there). > > Moreover, it restrict tor instances to their own directory under > /var/{lib,run}/tor-instances, now that #781730 is solved. > > I did not (yet) test it on instances other than @default, but I will do so > momentarily. > > > Best, > > nicoo > > - -- System Information: > Debian Release: buster/sid > APT prefers testing > APT policy: (900, 'testing'), (500, 'unstable') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: > LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: > LC_ALL set to en_US.UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages tor depends on: > ii adduser 3.116 > ii libc6 2.25-3 > ii libcap2 1:2.25-1.2 > ii libevent-2.1-6 2.1.8-stable-4 > ii liblzma5 5.2.2-1.3 > ii libseccomp2 2.3.1-2.1 > ii libssl1.1 1.1.0g-2 > ii libsystemd0 235-3 > ii libzstd1 1.3.2+dfsg2-1 > ii lsb-base 9.20170808 > ii zlib1g 1:1.2.8.dfsg-5 > > Versions of packages tor recommends: > ii logrotate 3.11.0-0.1 > pn tor-geoipdb <none> > ii torsocks 2.2.0-2 > > Versions of packages tor suggests: > ii apparmor-utils 2.11.1-4 > pn mixmaster <none> > pn obfs4proxy <none> > ii socat 1.7.3.2-2 > ii tor-arm 1.4.5.0-1.1 > ii torbrowser-launcher 0.2.8-5 > > - -- Configuration Files: > /etc/tor/torrc changed: > SOCKSPort 9050 IPv6Traffic > > > - -- no debconf information > > -----BEGIN PGP SIGNATURE----- > > iQJNBAEBCgA3FiEEiWEbFKE2h/s1SpJPnU+IAQz+GeMFAlo/u4gZHG5pY29sYXNA > YnJhdWQtc2FudG9uaS5ldQAKCRCdT4gBDP4Z46gtD/0chaqTZjTlNCloeQXgRLPx > quaEeXfytY61UpvX1ScpQDThLSpGcUW5SAnt/9LE04EHAmnqj30XmOAo0CQi41k4 > K3k+UUWTGaRtIV0+HeaHLdj9AlrXGXSsllk9RzlnXcq2udQhrawTrGbeXau/QeOX > OL8oTFYT1qC9AEFh3f95nfEicyPv7j3/UYd/73vzzxA49lZ93FELXz5M3EHGiqCH > 1nXMXPwoeYyEJApqe7jJdCCkrfgAO5fHogYzk5h518+Hd3fUHcwfj1zohRDp//L7 > AZdEzghwNEgkS9VpxQ62MAlueeEwpO7VY12WDC+tulx0Z9pKMhQ+2s25aca/v6e4 > ExE5oA4P9pwoGyyikRbYkq6G7FzTkLpZ1Fqz0VKEbiurrrLJTPG8CTBWDmk0aom0 > PBOgz1nbsqpLJVMPq2sOGS4RGbnxy30vzKmnU7RrBknpvVDrHEqQxNNFjxlLIwJZ > D1HSOGuZHovVJ1pLqlNS5G2merVe67Rs7LBb09OlTqRLa4s5LOZooQbA7B2qx77z > FbcJtgB3UeXFy1VtsjDORP+qCI2Ngz5GWGFqNlGYUPNrL+VbwfZs7PwbvuwYD9Fm > dUIk/cfBxPlFpmEPrgMswNpezLXUX+cgQN0zzmHoAwSFdSmwZlcHDTCiDcPo6UrN > 9svzH5COBLuPico9AOHHiA== > =zvBv > -----END PGP SIGNATURE----- > commit 6d5e750ea1566c25d331e227bd1ef3b22cafd039 > Author: Nicolas Braud-Santoni <nico...@braud-santoni.eu> > Date: Sun Dec 24 14:22:44 2017 +0100 > > systemd: Prevent tor (except tor@default) from accessing /var/log > > This prevents accidentally exposing sensitive information from logs > to tor (such as nginx's currently-broken behaviour [0]) > > [0]: https://security-tracker.debian.org/tracker/source-package/nginx > > diff --git a/debian/systemd/tor@.service b/debian/systemd/tor@.service > index 749d517c7..acfbf14b9 100644 > --- a/debian/systemd/tor@.service > +++ b/debian/systemd/tor@.service > @@ -27,6 +27,7 @@ PrivateDevices=yes > ProtectHome=yes > ProtectSystem=full > ReadOnlyDirectories=/ > +InaccessibleDirectories=/var/log > ReadWriteDirectories=-/var/lib/tor-instances/%i > ReadWriteDirectories=-/var/run/tor-instances/%i > CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE > CAP_DAC_READ_SEARCH > > commit 34814decca292b43adce9356c3ec247c1e41fa62 > Author: Nicolas Braud-Santoni <nico...@braud-santoni.eu> > Date: Sun Dec 24 14:17:40 2017 +0100 > > systemd: Restrict access to more specific paths under /var/run > > This is possible thanks to #781730 being solved. > > diff --git a/debian/systemd/tor@.service b/debian/systemd/tor@.service > index d71cc31dc..749d517c7 100644 > --- a/debian/systemd/tor@.service > +++ b/debian/systemd/tor@.service > @@ -27,10 +27,8 @@ PrivateDevices=yes > ProtectHome=yes > ProtectSystem=full > ReadOnlyDirectories=/ > -# We would really like to restrict the next item to [..]/%i but we can't, > -# as systemd does not support that yet. See also #781730. > -ReadWriteDirectories=-/var/lib/tor-instances > -ReadWriteDirectories=-/var/run > +ReadWriteDirectories=-/var/lib/tor-instances/%i > +ReadWriteDirectories=-/var/run/tor-instances/%i > CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE > CAP_DAC_READ_SEARCH > > [Install] > diff --git a/debian/systemd/tor@default.service > b/debian/systemd/tor@default.service > index 39d6ba848..161838f56 100644 > --- a/debian/systemd/tor@default.service > +++ b/debian/systemd/tor@default.service > @@ -30,5 +30,5 @@ ReadOnlyDirectories=/ > ReadWriteDirectories=-/proc > ReadWriteDirectories=-/var/lib/tor > ReadWriteDirectories=-/var/log/tor > -ReadWriteDirectories=-/var/run > +ReadWriteDirectories=-/var/run/tor > CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE > CAP_DAC_READ_SEARCH
commit 14935cbcb0668590b15d649b53be222f7ea7dab0 Author: Nicolas Braud-Santoni <nico...@braud-santoni.eu> Date: Sun Dec 24 16:01:17 2017 +0100 Update the backports script diff --git a/debian/misc/build-tor-sources b/debian/misc/build-tor-sources index 41ffc122c..a145a2034 100755 --- a/debian/misc/build-tor-sources +++ b/debian/misc/build-tor-sources @@ -166,6 +166,13 @@ remove_systemd() { fi } +remove_systemd_instance_namespace() { + if [ -d debian/systemd ]; then + sed -i 's,^(ReadWriteDirectories=.*)/%i$,\1,' debian/systemd/*.service + dch --append 'Remove templated ReadWriteDirectories from debian/systemd' + fi +} + old_debug_pkg() { patch debian/rules << EOF diff --git a/debian/rules b/debian/rules @@ -251,6 +258,7 @@ backport_all() { bp1 $pkg $dir $sid_debian_version jessie (cd $dir; remove_libzstd) (cd $dir; old_debug_pkg) + (cd $dir; remove_systemd_instance_namespace) bp2 $pkg $dir $origtar # wheezy @@ -269,11 +277,13 @@ backport_all() { (cd $dir; remove_libzstd) (cd $dir; remove_systemd) (cd $dir; old_debug_pkg) + (cd $dir; remove_systemd_instance_namespace) bp2 $pkg $dir $origtar # xenial (EOL: Apr 2021) ################################################# bp1 $pkg $dir $sid_debian_version xenial + (cd $dir; remove_systemd_instance_namespace) bp2 $pkg $dir $origtar # zesty (EOL: Jan 2018)
signature.asc
Description: PGP signature