Re: [tor-dev] what capabilities does tor need for reloading?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 just for the record: 'systemctl reload tor' fails due to hardening restrictions in tor's systemd service file [1]: CapabilityBoundingSet = CAP_SETUID CAP_SETGID ... The proper 'fix' is: PermissionsStartOnly=yes REF: http://lists.freedesktop.org/archives/systemd-devel/2015-April/030404.html http://www.freedesktop.org/software/systemd/man/systemd.service.html#PermissionsStartOnly= -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVQTOVAAoJEFv7XvVCELh0ceUP/14ip5/+6I022mYHuBgTwmkL 69EYtX4uaKb0hDCZAk+hGA1VgAlCwZD87zhXW6Tb42SLnhZ+XGmSg5NefG6MCO5D mKf39Habzj5eDAbyUYItQu7zYzJfgGO823KC19XTwfUjEfalCv7/D2Ra8eHYJRcX PL5cvNTyVpViKk9qW/f8rvZRar7Y4iqig4N5xe93eIf/dpLjpkfPlQhWg13zuoHW YohHSb5BC6+T3CFoIAycRYMSkkBk4KL6CF7q1MTtT1T/1mZlfbZ+ar6MZEfXI1q2 KL6NbdOWv/IIf5aGCAZ58E8RJGZKvoWiga00d8aMgRMASHd6Er93pzhpdF3y2MY9 E5//We2lb+GjDIXbrMNC2ZHsuKgDOFV773w+DJCq0z0BB2WL/X7XNmVxhq3/8h2F M6Sr0Wjazo4O2eEdE0DTNYrU91xAhfk5OuJWPxGQIU9knaqiiwWlxBCqWFJfuA1/ eiJy8sDumd9BzDtr5ewRswjZaZj4jTRYzH+owxnd8U00cImj17+4H6xjDJji8kXe cMDOMjxnnGX00PTCXLPLIoVCD//oBQUqcOhpsDP/Ga3O7lGFlynjVJbUYrjS0/lz cHxF0qX7XGtr0Bevik9xoq8bPomnoULKIfM0EjrD+0LAf3jwFK5Ne5PY+T1AsrdX Go85L9UdvUYUlZwRRTWX =7YTi -END PGP SIGNATURE- ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] what capabilities does tor need for reloading?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, 'systemctl reload tor' fails due to hardening restrictions in tor's systemd service file [1]: CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE Removing that line solves the reload issue. Reloading with that line does not generate any tor debug loglines. What capability would one have to add to the list to make it work with CapabilityBoundingSet? thanks, Nusenu testing with: tor 0.2.6.4, jessie/systemd 215 [1] https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in#n26 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVCVA7AAoJEFv7XvVCELh0bWIQAKfDZdhwrcWzwOHEP/o3FMoa BTkMxjHdEDezlaHd61/XWHC1cYNOi6kqe/xGL1HRMtDwl09tbn3lq0Vty9P9hBP5 ucLaS1Izz0w7VprEd4ZK+/G4pV8Ht6Kjd7LSaV8RsjdCfK9g5WaI/IDIVGbYKUnC NVJxY+XCxZsvMmkfCUo1un6yZ/p0eQEfksDwtDvf7EupIy3o5wYJhM1bcvVzm/3H UenP8t8VBb7TVOBRuZUyMzS173db/SKp2tY1IOiUktzyJqzzck8gPJvQ4l8DoeqM E2yVr+Qvex/IXRx379sJTyBJt9xthC9BS91uUJA0G3dbYVSvRoUN5XDjaqYztSN3 ctkjT3cocLDu43EslGo/Egh+xWTMdnTvcaTIoLkD5IN4FWu3IrjWnG0gOOyNyPf5 F4UfCty5xn9ztb0y7Zf2GOliR9CnkSB8PIuMt4ManvrMGOwYPZw1KsGsc49UYadn XhEUj1uzf3FBZw2LmbiBR5lNGX2WanWt83EwkiH03MsBkouD60+D/RJ5UQ8pVEwm JHLBqbT2GtBCda3OIPec1kdh3P5TFF+aN9aC1HkVsYRwoUJtIjxPg3wkrOVCU4VF ZJVbqlVuJQn8/3GnphkQgt+jJqTl3b4Ttksu+omGJgYU2Wu42VNFvCFraeQ75q4J D1NinH/G/3I3KBYP+JNu =/eJ6 -END PGP SIGNATURE- ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] what capabilities does tor need for reloading?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Nick, thanks for your answer. What capability would one have to add to the list to make it work with CapabilityBoundingSet? It probably depends on what's in your configuration. torrc file while testing: User debian-tor DataDirectory /var/lib/tor Log debug file /var/log/tor/log RunAsDaemon 1 DisableDebuggerAttachment 0 My first guess on how to find out would be to look to see if you can possibly use strace or gdb or something to figure out what system call is failing. strace output when I trigger the reload via systemctl: 2362 epoll_wait(3, 7f105298a7f0, 32, 99) = -1 EINTR (Interrupted system call) 2362 --- SIGINT {si_signo=SIGINT, si_code=SI_USER, si_pid=1, si_uid=0} --- 2362 sendto(4, 0x7fffe6bcbf57, 1, 0, NULL, 0) = 1 2362 rt_sigreturn()= -1 EINTR (Interrupted system call) 2362 --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=1, si_uid=0} --- 2362 epoll_wait(3, {?} 0x7f105298a7f0, 32, 54) = 1 2362 recvfrom(5, 0x7f10514bb500, 1024, 0, NULL, NULL) = 1 2362 recvfrom(5, 0x7f10514bb500, 1024, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable) 2362 write(7, 0x7fffe6bc9a40, 57) = 57 2362 open(0x7f10529933e0, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0600) = 10 2362 write(10, 0x7f105379ac10, 3662) = 3662 2362 close(10) = 0 2362 write(7, 0x7fffe6bc98c0, 96) = 96 2362 rename(0x7f10529933e0, 0x7f1052993200) = 0 2362 write(7, 0x7fffe6bc99c0, 80) = 80 2362 munmap(0x7f1051a06000, 1052672) = 0 2362 write(7, 0x7fffe6bc99c0, 82) = 82 2362 write(7, 0x7fffe6bc99f0, 84) = 84 -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVCW/1AAoJEFv7XvVCELh0c8EP/RVNFNFdIieFMYZycf0IMReM TqtwOaWsGhkxzf3clXi9rECv0cis6Dvw+PROyPeMaQup/HSLaEwEpqmcKamyk8K2 pXrxVUOI4w8jkUymPMaZX5blnpuVmhPECCYTfkSi8AAbUC9Jl7qnKtu/r6JyoxKC NKf23Aoa0W4Wqn4KzXQff+5dpXUfyysE5r95mhh6z1xL+TfI+Th4IAUO6EsdgbB/ a/qRdtIu1bkKjiwHd6bBiY1ar1IH+GA8ud9QTAUXVkHHZ0w9w3GuEV8n4rP93QWf M+wi0LRnYsw0X3s+jyze811FYNzDfDXmzY27MqVhzZZzwUjqHgEOZQVvFUYaOe4C wTv/cAmj15Moo76dvthwRYeK6NweiS1pYh+qcZy+EGq4Ty57vUmqkmxLe51ylExM yCuJ1IOSC08UA0Ntk80cs/nC4xtSNxrh3P9zLNnzJQweLxUSK/S84PAg/l+CqE+Q 3WzO7CcQOkV8qR1gL2kP0NS1HDZyArfvOLRV6UdGCRCw//hKVACKTP5fh9Acx5Sw PqJIpVu5OMpmZxcBpuv5rhubzA3X3rwbmWqEFTOzL8K7SlxOPha4V/1RIHAOG6Qr /KVdl7EwQPY5gpSWdMHrZa+pnF9VNUv5x3c4VhEenlSUkq6fiBfrivmHWHIyTeSb MwagvB1k5o2aaH834ANm =ClGh -END PGP SIGNATURE- ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] what capabilities does tor need for reloading?
On Wed, Mar 18, 2015 at 6:15 AM, Nusenu nus...@openmailbox.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, 'systemctl reload tor' fails due to hardening restrictions in tor's systemd service file [1]: CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE Removing that line solves the reload issue. Reloading with that line does not generate any tor debug loglines. What capability would one have to add to the list to make it work with CapabilityBoundingSet? It probably depends on what's in your configuration. My first guess on how to find out would be to look to see if you can possibly use strace or gdb or something to figure out what system call is failing. You might need to temporarily add DisableDebuggerAttachment 0 to your configuration file to allow you to attach a debugger. cheers, -- Nick ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] what capabilities does tor need for reloading?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 so the somewhat obvious fix was to add CAP_KILL. after reading: man capabilities: Bypass permission checks for sending signals (see kill(2)). This includes use of the ioctl(2) KDSIGACCEPT operation. I'm not entirely sure since that sounds like tor will be able to kill arbitrary processes. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVCXkBAAoJEFv7XvVCELh0MjoP+wdhNqQqNUeeP/FmqRRB3nq5 Vr7Pxt3Q/LkdkWj6KsdyGPrSoo1PNnmy8yYHcuBG+tFXfWeLvSE+UvBS39vs6/QL JDnDbzDasKggVspYCALUKfdcLFEV+LkcvV61ank2ogcNKUFsA47UDXDebV99akWo QtGWK3k49JLx6dPJ+ihMCSm0NNfJIO/Ra9zpXnxIh3vyC/RVi2SvOfQK/Wme4HYH BBAGkihnSPZ/55A/P9NQ7U18RDURhq7xj1hSYdwd7FrvGk+0TeOjnkv5xwYbwIxT KC5hJmF7ezk4XT5UjtHNXLWxgOQ5mMxJ9ZLyH2Jk/OhMvxVKaJdpNtmJyFMXuqZo a9XY0MAbcrrW/GArTT2sSJrYytDqRUsgQjaZw/jCj7oIL0TgfWQADFVSFY3YWvd/ 5LBQALq9pmgUmyoweSKpkaA4byGClBQjRQDb0gDUXW2oeaQiIFdhYE4PtHySP+Fl sx74Ygtj7tBqf0eKLe94ocTlA2koGU/GU3vNddAefTSjDwlXAnBXkzaxLYHwHiTf e7UEw+81Lp8AZ/Q0jO3S1awaKVgpYmmeUBZGdfwww/MJ21ziLBBaBVKofM/Ux1Qu AwVMuhBgLl06KXCNwlXY/ewZEKlgQtjCAzShvznJ9dEzThkTW/MASMwKUH32ATN0 p7tQyv6iI2cr9Gw2RdDE =M8+W -END PGP SIGNATURE- ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] what capabilities does tor need for reloading?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 'systemctl reload tor' fails due to hardening restrictions in tor's systemd service file [1]: CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE This configuration restricts not only the service (tor) but also the ExecReload commands (kill), so the somewhat obvious fix was to add CAP_KILL. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJVCXaCAAoJEFv7XvVCELh0tdQP/2EVKAnufPJ2eJa2j5LyT8oA h0t0jsNZ19C9bbJMXsZhuzS97wtMzqWisWwKbtErdbtatoqXE2ZwL8+hnfTQ7mhQ O4b3tUZftUpKAaKvI49/Z1VmtbtWouuQu94ucKhPmi2K3RspQDmuSQSmqQiFo9xx wSBaak2DneRpNcMYlOLc4JN2VLLcsub/fKL8vW/cO63z5n87NmbAkGrcWCIfCyx8 YBu9VTijmWRvzEkPqcMmBa58R2yOBc5I7BSOPD8R4sTlotbE4CSipciHr/ja+G2Y 34K3yaVnCDI+lpGU0YVY3nLyTg/u/izjIG8zFodsOJh9NXBB40nDLbBm88sxjuhL gctzuV4AvC6rkQ7aWNRLQeFaxaeHoCa2EvvAS3rM1QTC+RVB+HNiiz4DA3wHuz7s arOu93GDhO7ix7+r9g1Uje1X2S5vKqhSNshx1pHVd/aRyDq7lCBgvBu6574FDuT/ T328b1hA0au7mU0LSOXofMEWZHSNYnYEdtAG2kRdBKmeeIa4IlawXxA+kAnx0D1/ QC4OvtE5DhLhnD7BPirHSCC8ju65d2LlpdjD4DER5+p27j83rwi0myIXM1/oD2CO d9lBTGyyc/sHfwRU7NkcXl5RWDq8IMDcbT8LLFdbQR0PYLGrSs5yvy9HXT/A5VMb TJKcrOXxblb3SRzlGSjr =i8ta -END PGP SIGNATURE- ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev