On Wed, 04 Jan 2017, Laurent Bigonville wrote:
> Yes I tried that, deleting the /var/run/tor directory completely and then
> restarting the service and the directory is created. A side note is that we
> should maybe use a tmpfiles config here, that way is more "systemd'ish" and
> then we are sure
Le 04/01/17 à 10:13, Peter Palfrader a écrit :
On Wed, 04 Jan 2017, Laurent Bigonville wrote:
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
#ReadWriteDirectories=-/var/run
ReadWriteDirectories=-/var/run/tor
Can we still create the directory if it isn't there yet?
On Wed, 04 Jan 2017, Laurent Bigonville wrote:
> reopen 800385
Don't, let's take it to #847477.
> >># Hardening
> >>AppArmorProfile=system_tor
> >>NoNewPrivileges=yes
> >>PrivateTmp=yes
> >>PrivateDevices=yes
> >>ProtectHome=yes
> >>ProtectControlGroups=yes #added
> >>ProtectKernelTunables=yes
reopen 800385
thanks
Le 04/01/17 à 08:15, Peter Palfrader a écrit :
Thanks for your help!
On Wed, 04 Jan 2017, Laurent Bigonville wrote:
I just tried with the following hardening features, and the daemon is
starting (I kept the old value in comment):
# Hardening
AppArmorProfile=system_tor
Thanks for your help!
On Wed, 04 Jan 2017, Laurent Bigonville wrote:
> I just tried with the following hardening features, and the daemon is
> starting (I kept the old value in comment):
>
> # Hardening
> AppArmorProfile=system_tor
> NoNewPrivileges=yes
> PrivateTmp=yes
> PrivateDevices=yes
>
On Fri, 16 Dec 2016 12:30:28 + Peter Palfrader
wrote:
> On Sun, 04 Oct 2015, Peter Palfrader wrote:
>
> > On Mon, 28 Sep 2015, Laurent Bigonville wrote:
> > > -CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
> > > +CapabilityBoundingSet=CAP_SETUID
On Mon, 28 Sep 2015, Laurent Bigonville wrote:
> When looking at the capabilities that are granted by the .service file
> compared to the upstream one (in the contrib directory), I'm wondering
> if it couldn't be reduced.
Maybe.
> -CapabilityBoundingSet=CAP_SETUID CAP_SETGID
Package: tor
Version: 0.2.6.10-1
Severity: normal
Hi,
When looking at the capabilities that are granted by the .service file
compared to the upstream one (in the contrib directory), I'm wondering
if it couldn't be reduced.
-CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
8 matches
Mail list logo