As discussed on IRC, here is a new patch that drops PermissionsStartOnly. I also updated the backport script.
commit eaf325d3cf3a42033e32b5535599a3f0427fa519 Author: Nicolas Braud-Santoni <nico...@braud-santoni.eu> Date: Sun Dec 24 17:07:12 2017 +0100
debian/systemd: Drop PermissionsStartOnly This avoids running --verify-config unconfined diff --git a/debian/misc/build-tor-sources b/debian/misc/build-tor-sources index a145a2034..cc83d1b44 100755 --- a/debian/misc/build-tor-sources +++ b/debian/misc/build-tor-sources @@ -166,10 +166,15 @@ remove_systemd() { fi } -remove_systemd_instance_namespace() { +# Remove systemd hardening features that require systemd >= 232 +remove_systemd_hardening() { if [ -d debian/systemd ]; then sed -i 's,^(ReadWriteDirectories=.*)/%i$,\1,' debian/systemd/*.service dch --append 'Remove templated ReadWriteDirectories from debian/systemd' + + sed -i 's,^(PermissionsStartOnly=).*$,\1=yes,' debian/systemd/*.service + sed -i 's,^(Exec[^= ]+)=+(.*)$,\1=\2,' debian/systemd/*.service + dch --append 'Remove privileged ExecXYZ directives from debian/systemd' fi } @@ -258,7 +263,7 @@ backport_all() { bp1 $pkg $dir $sid_debian_version jessie (cd $dir; remove_libzstd) (cd $dir; old_debug_pkg) - (cd $dir; remove_systemd_instance_namespace) + (cd $dir; remove_systemd_hardening) bp2 $pkg $dir $origtar # wheezy @@ -277,13 +282,13 @@ backport_all() { (cd $dir; remove_libzstd) (cd $dir; remove_systemd) (cd $dir; old_debug_pkg) - (cd $dir; remove_systemd_instance_namespace) + (cd $dir; remove_systemd_hardening) bp2 $pkg $dir $origtar # xenial (EOL: Apr 2021) ################################################# bp1 $pkg $dir $sid_debian_version xenial - (cd $dir; remove_systemd_instance_namespace) + (cd $dir; remove_systemd_hardening) bp2 $pkg $dir $origtar # zesty (EOL: Jan 2018) diff --git a/debian/systemd/tor@.service b/debian/systemd/tor@.service index acfbf14b9..a0ea3a10f 100644 --- a/debian/systemd/tor@.service +++ b/debian/systemd/tor@.service @@ -8,9 +8,9 @@ ReloadPropagatedFrom=tor.service Type=notify NotifyAccess=all PIDFile=/var/run/tor-instances/%i/tor.pid -PermissionsStartOnly=yes -ExecStartPre=/usr/bin/install -Z -m 02755 -o _tor-%i -g _tor-%i -d /var/run/tor-instances/%i -ExecStartPre=/bin/sed -e 's/@@NAME@@/%i/g; w /var/run/tor-instances/%i.defaults' /usr/share/tor/tor-service-defaults-torrc-instances +PermissionsStartOnly=no +ExecStartPre=+/usr/bin/install -Z -m 02755 -o _tor-%i -g _tor-%i -d /var/run/tor-instances/%i +ExecStartPre=+/bin/sed -e 's/@@NAME@@/%i/g; w /var/run/tor-instances/%i.defaults' /usr/share/tor/tor-service-defaults-torrc-instances ExecStartPre=/usr/bin/tor --defaults-torrc /var/run/tor-instances/%i.defaults -f /etc/tor/instances/%i/torrc --verify-config ExecStart=/usr/bin/tor --defaults-torrc /var/run/tor-instances/%i.defaults -f /etc/tor/instances/%i/torrc ExecReload=/bin/kill -HUP ${MAINPID} diff --git a/debian/systemd/tor@default.service b/debian/systemd/tor@default.service index 161838f56..864b02df5 100644 --- a/debian/systemd/tor@default.service +++ b/debian/systemd/tor@default.service @@ -8,8 +8,8 @@ ReloadPropagatedFrom=tor.service Type=notify NotifyAccess=all PIDFile=/var/run/tor/tor.pid -PermissionsStartOnly=yes -ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor +PermissionsStartOnly=no +ExecStartPre=+/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /var/run/tor ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config ExecStart=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 ExecReload=/bin/kill -HUP ${MAINPID}
signature.asc
Description: PGP signature