Bug#847477: Bug#800385: tor: systemd .service granting too much capabilities?

2017-01-04 Thread Peter Palfrader
On Wed, 04 Jan 2017, Laurent Bigonville wrote: > Yes I tried that, deleting the /var/run/tor directory completely and then > restarting the service and the directory is created. A side note is that we > should maybe use a tmpfiles config here, that way is more "systemd'ish" and > then we are sure

Bug#847477: Bug#800385: tor: systemd .service granting too much capabilities?

2017-01-04 Thread Laurent Bigonville
Le 04/01/17 à 10:13, Peter Palfrader a écrit : On Wed, 04 Jan 2017, Laurent Bigonville wrote: ReadWriteDirectories=-/var/lib/tor ReadWriteDirectories=-/var/log/tor #ReadWriteDirectories=-/var/run ReadWriteDirectories=-/var/run/tor Can we still create the directory if it isn't there yet?

Bug#847477: Bug#800385: tor: systemd .service granting too much capabilities?

2017-01-04 Thread Peter Palfrader
On Wed, 04 Jan 2017, Laurent Bigonville wrote: > reopen 800385 Don't, let's take it to #847477. > >># Hardening > >>AppArmorProfile=system_tor > >>NoNewPrivileges=yes > >>PrivateTmp=yes > >>PrivateDevices=yes > >>ProtectHome=yes > >>ProtectControlGroups=yes #added > >>ProtectKernelTunables=yes

Bug#800385: tor: systemd .service granting too much capabilities?

2017-01-04 Thread Laurent Bigonville
reopen 800385 thanks Le 04/01/17 à 08:15, Peter Palfrader a écrit : Thanks for your help! On Wed, 04 Jan 2017, Laurent Bigonville wrote: I just tried with the following hardening features, and the daemon is starting (I kept the old value in comment): # Hardening AppArmorProfile=system_tor

Bug#800385: tor: systemd .service granting too much capabilities?

2017-01-03 Thread Peter Palfrader
Thanks for your help! On Wed, 04 Jan 2017, Laurent Bigonville wrote: > I just tried with the following hardening features, and the daemon is > starting (I kept the old value in comment): > > # Hardening > AppArmorProfile=system_tor > NoNewPrivileges=yes > PrivateTmp=yes > PrivateDevices=yes >

Bug#800385: tor: systemd .service granting too much capabilities?

2017-01-03 Thread Laurent Bigonville
On Fri, 16 Dec 2016 12:30:28 + Peter Palfrader wrote: > On Sun, 04 Oct 2015, Peter Palfrader wrote: > > > On Mon, 28 Sep 2015, Laurent Bigonville wrote: > > > -CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE > > > +CapabilityBoundingSet=CAP_SETUID

Bug#800385: tor: systemd .service granting too much capabilities?

2015-10-04 Thread Peter Palfrader
On Mon, 28 Sep 2015, Laurent Bigonville wrote: > When looking at the capabilities that are granted by the .service file > compared to the upstream one (in the contrib directory), I'm wondering > if it couldn't be reduced. Maybe. > -CapabilityBoundingSet=CAP_SETUID CAP_SETGID

Bug#800385: tor: systemd .service granting too much capabilities?

2015-09-28 Thread Laurent Bigonville
Package: tor Version: 0.2.6.10-1 Severity: normal Hi, When looking at the capabilities that are granted by the .service file compared to the upstream one (in the contrib directory), I'm wondering if it couldn't be reduced. -CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE