Bug#885141: tor: systemd unit files should confine tor as much as possible

Nicolas Braud-Santoni Sun, 24 Dec 2017 07:21:58 -0800

PS: Here is a patch for the backports script.
    I was unable to test it, as the script hardcodes your directory layout.


On Sun, Dec 24, 2017 at 03:36:59PM +0100, Nicolas Braud-Santoni wrote:
> Package: tor
> Version: 0.3.2.8-rc-1
> Severity: normal
> Tags: patch stretch buster sid
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Hi weasel,
> 
> Here is a patch for the systemd unit files that we ship with tor.
> 
> It prevents tor from having read-write access to /var/run, and from having
> access to /var/log (except for tor@default, which writes logs there).
> 
> Moreover, it restrict tor instances to their own directory under
> /var/{lib,run}/tor-instances, now that #781730 is solved.
> 
> I did not (yet) test it on instances other than @default, but I will do so
> momentarily.
> 
> 
> Best,
> 
>   nicoo
> 
> - -- System Information:
> Debian Release: buster/sid
>   APT prefers testing
>   APT policy: (900, 'testing'), (500, 'unstable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
> 
> Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: 
> LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: 
> LC_ALL set to en_US.UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages tor depends on:
> ii  adduser         3.116
> ii  libc6           2.25-3
> ii  libcap2         1:2.25-1.2
> ii  libevent-2.1-6  2.1.8-stable-4
> ii  liblzma5        5.2.2-1.3
> ii  libseccomp2     2.3.1-2.1
> ii  libssl1.1       1.1.0g-2
> ii  libsystemd0     235-3
> ii  libzstd1        1.3.2+dfsg2-1
> ii  lsb-base        9.20170808
> ii  zlib1g          1:1.2.8.dfsg-5
> 
> Versions of packages tor recommends:
> ii  logrotate    3.11.0-0.1
> pn  tor-geoipdb  <none>
> ii  torsocks     2.2.0-2
> 
> Versions of packages tor suggests:
> ii  apparmor-utils       2.11.1-4
> pn  mixmaster            <none>
> pn  obfs4proxy           <none>
> ii  socat                1.7.3.2-2
> ii  tor-arm              1.4.5.0-1.1
> ii  torbrowser-launcher  0.2.8-5
> 
> - -- Configuration Files:
> /etc/tor/torrc changed:
> SOCKSPort 9050 IPv6Traffic
> 
> 
> - -- no debconf information
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQJNBAEBCgA3FiEEiWEbFKE2h/s1SpJPnU+IAQz+GeMFAlo/u4gZHG5pY29sYXNA
> YnJhdWQtc2FudG9uaS5ldQAKCRCdT4gBDP4Z46gtD/0chaqTZjTlNCloeQXgRLPx
> quaEeXfytY61UpvX1ScpQDThLSpGcUW5SAnt/9LE04EHAmnqj30XmOAo0CQi41k4
> K3k+UUWTGaRtIV0+HeaHLdj9AlrXGXSsllk9RzlnXcq2udQhrawTrGbeXau/QeOX
> OL8oTFYT1qC9AEFh3f95nfEicyPv7j3/UYd/73vzzxA49lZ93FELXz5M3EHGiqCH
> 1nXMXPwoeYyEJApqe7jJdCCkrfgAO5fHogYzk5h518+Hd3fUHcwfj1zohRDp//L7
> AZdEzghwNEgkS9VpxQ62MAlueeEwpO7VY12WDC+tulx0Z9pKMhQ+2s25aca/v6e4
> ExE5oA4P9pwoGyyikRbYkq6G7FzTkLpZ1Fqz0VKEbiurrrLJTPG8CTBWDmk0aom0
> PBOgz1nbsqpLJVMPq2sOGS4RGbnxy30vzKmnU7RrBknpvVDrHEqQxNNFjxlLIwJZ
> D1HSOGuZHovVJ1pLqlNS5G2merVe67Rs7LBb09OlTqRLa4s5LOZooQbA7B2qx77z
> FbcJtgB3UeXFy1VtsjDORP+qCI2Ngz5GWGFqNlGYUPNrL+VbwfZs7PwbvuwYD9Fm
> dUIk/cfBxPlFpmEPrgMswNpezLXUX+cgQN0zzmHoAwSFdSmwZlcHDTCiDcPo6UrN
> 9svzH5COBLuPico9AOHHiA==
> =zvBv
> -----END PGP SIGNATURE-----

> commit 6d5e750ea1566c25d331e227bd1ef3b22cafd039
> Author: Nicolas Braud-Santoni <nico...@braud-santoni.eu>
> Date:   Sun Dec 24 14:22:44 2017 +0100
> 
>     systemd: Prevent tor (except tor@default) from accessing /var/log
>     
>     This prevents accidentally exposing sensitive information from logs
>     to tor (such as nginx's currently-broken behaviour [0])
>     
>     [0]: https://security-tracker.debian.org/tracker/source-package/nginx
> 
> diff --git a/debian/systemd/tor@.service b/debian/systemd/tor@.service
> index 749d517c7..acfbf14b9 100644
> --- a/debian/systemd/tor@.service
> +++ b/debian/systemd/tor@.service
> @@ -27,6 +27,7 @@ PrivateDevices=yes
>  ProtectHome=yes
>  ProtectSystem=full
>  ReadOnlyDirectories=/
> +InaccessibleDirectories=/var/log
>  ReadWriteDirectories=-/var/lib/tor-instances/%i
>  ReadWriteDirectories=-/var/run/tor-instances/%i
>  CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE 
> CAP_DAC_READ_SEARCH
> 
> commit 34814decca292b43adce9356c3ec247c1e41fa62
> Author: Nicolas Braud-Santoni <nico...@braud-santoni.eu>
> Date:   Sun Dec 24 14:17:40 2017 +0100
> 
>     systemd: Restrict access to more specific paths under /var/run
>     
>     This is possible thanks to #781730 being solved.
> 
> diff --git a/debian/systemd/tor@.service b/debian/systemd/tor@.service
> index d71cc31dc..749d517c7 100644
> --- a/debian/systemd/tor@.service
> +++ b/debian/systemd/tor@.service
> @@ -27,10 +27,8 @@ PrivateDevices=yes
>  ProtectHome=yes
>  ProtectSystem=full
>  ReadOnlyDirectories=/
> -# We would really like to restrict the next item to [..]/%i but we can't,
> -# as systemd does not support that yet.  See also #781730.
> -ReadWriteDirectories=-/var/lib/tor-instances
> -ReadWriteDirectories=-/var/run
> +ReadWriteDirectories=-/var/lib/tor-instances/%i
> +ReadWriteDirectories=-/var/run/tor-instances/%i
>  CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE 
> CAP_DAC_READ_SEARCH
>  
>  [Install]
> diff --git a/debian/systemd/tor@default.service 
> b/debian/systemd/tor@default.service
> index 39d6ba848..161838f56 100644
> --- a/debian/systemd/tor@default.service
> +++ b/debian/systemd/tor@default.service
> @@ -30,5 +30,5 @@ ReadOnlyDirectories=/
>  ReadWriteDirectories=-/proc
>  ReadWriteDirectories=-/var/lib/tor
>  ReadWriteDirectories=-/var/log/tor
> -ReadWriteDirectories=-/var/run
> +ReadWriteDirectories=-/var/run/tor
>  CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE 
> CAP_DAC_READ_SEARCH

commit 14935cbcb0668590b15d649b53be222f7ea7dab0
Author: Nicolas Braud-Santoni <nico...@braud-santoni.eu>
Date:   Sun Dec 24 16:01:17 2017 +0100

    Update the backports script

diff --git a/debian/misc/build-tor-sources b/debian/misc/build-tor-sources
index 41ffc122c..a145a2034 100755
--- a/debian/misc/build-tor-sources
+++ b/debian/misc/build-tor-sources
@@ -166,6 +166,13 @@ remove_systemd() {
        fi
 }
 
+remove_systemd_instance_namespace() {
+    if [ -d debian/systemd ]; then
+        sed -i 's,^(ReadWriteDirectories=.*)/%i$,\1,' debian/systemd/*.service
+        dch --append 'Remove templated ReadWriteDirectories from 
debian/systemd'
+    fi
+}
+
 old_debug_pkg() {
        patch debian/rules << EOF
 diff --git a/debian/rules b/debian/rules
@@ -251,6 +258,7 @@ backport_all() {
        bp1 $pkg $dir $sid_debian_version jessie
        (cd $dir; remove_libzstd)
        (cd $dir; old_debug_pkg)
+       (cd $dir; remove_systemd_instance_namespace)
        bp2 $pkg $dir $origtar
 
        # wheezy
@@ -269,11 +277,13 @@ backport_all() {
        (cd $dir; remove_libzstd)
        (cd $dir; remove_systemd)
        (cd $dir; old_debug_pkg)
+       (cd $dir; remove_systemd_instance_namespace)
        bp2 $pkg $dir $origtar
 
        # xenial (EOL: Apr 2021)
        #################################################
        bp1 $pkg $dir $sid_debian_version xenial
+       (cd $dir; remove_systemd_instance_namespace)
        bp2 $pkg $dir $origtar
 
        # zesty (EOL: Jan 2018)

signature.asc
Description: PGP signature

Bug#885141: tor: systemd unit files should confine tor as much as possible

Reply via email to