-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
I'm currently preparing/testing a systemd unit file (#14995) for debian (wheezy-backports/systemd 204) based on the one shipped by tor [1].
It does not work yet, and although the 'fix' would be easy - simply remove: NoNewPrivileges = yes I'd like to hear from you before removing such a security feature.
Does tor require new privileges to work?
It actually fails in two instances:
1) before actually starting the tor daemon (--verify-config):
Process: 2844 ExecStartPre=/usr/bin/tor -f /etc/tor/torrc - --verify-config (code=exited, status=227/NO_NEW_PRIVILEGES)
2) and when actually starting the daemon
thanks, Nusenu
I'm testing with 0.2.5.10-1~d70.wheezy
minimal test torrc used: User debian-tor DataDirectory /var/lib/tor Log debug file /var/log/tor/log
[1] https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in#n25
Could you please put
Log debug /tmp/tor-startup.log
in your torrc, try to start the daemon with NoNewPrivileges=yes, and then post the contents of /tmp/tor-startup.log ? We need to know exactly how it's failing. (We might actually need you to run it under `strace`, even.)
zw
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hello Zack,
thanks for your answer.
Zack Weinberg:
Could you please put
Log debug /tmp/tor-startup.log
I had:
Log debug file /var/log/tor/log
but it is not being written to.
(I disabled ExecStartPre for now).
in your torrc, try to start the daemon with NoNewPrivileges=yes, and then post the contents of /tmp/tor-startup.log ? We need to know exactly how it's failing. (We might actually need you to run it under `strace`, even.)
It is a bit tricky environment to run strace, how would you go about it?
If anyone wants to try here is the unit file: (use it with the torrc file from the initial email)
- ------------------------------------ [Unit] Description = Anonymizing overlay network for TCP After = syslog.target network.target nss-lookup.target
[Service] Type = simple #ExecStartPre = /usr/bin/tor -f /etc/tor/torrc --verify-config ExecStart = /usr/bin/tor -f /etc/tor/torrc --runasdaemon 0 ExecReload = /bin/kill -HUP ${MAINPID} KillSignal = SIGINT TimeoutSec = 30 Restart = on-failure WatchdogSec = 1m LimitNOFILE = 32768
# Hardening PrivateTmp = yes
ReadOnlyDirectories = /
ReadWriteDirectories = /var/lib/tor ReadWriteDirectories = /var/log/tor
NoNewPrivileges = yes CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
# not supported in wheezy-backports (systemd 204) #PrivateDevices = yes #ProtectHome = yes #ProtectSystem = full
[Install] WantedBy = multi-user.target - ------------------------------------
On Tue, Mar 17, 2015 at 12:55 PM, Nusenu nusenu@openmailbox.org wrote:
I had:
Log debug file /var/log/tor/log
but it is not being written to.
This is *probably* because one of the missing privileges is the ability to write to files in /var/log/tor. Try `Log debug stderr` instead -- you'll have to fish the logs out of systemd's journal, but I *think* it should keep a complete transcript.
It is a bit tricky environment to run strace, how would you go about it?
ExecStart = /usr/bin/strace -f /usr/bin/tor -f /etc/tor/torrc --runasdaemon 0
seems like it ought to work (again, the trace will get written to the journal)
zw
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Zack Weinberg:
On Tue, Mar 17, 2015 at 12:55 PM, Nusenu nusenu@openmailbox.org wrote:
I had:
Log debug file /var/log/tor/log
but it is not being written to.
This is *probably* because one of the missing privileges is the ability to write to files in /var/log/tor. Try `Log debug stderr` instead -- you'll have to fish the logs out of systemd's journal, but I *think* it should keep a complete transcript.
It is a bit tricky environment to run strace, how would you go about it?
ExecStart = /usr/bin/strace -f /usr/bin/tor -f /etc/tor/torrc --runasdaemon 0
seems like it ought to work (again, the trace will get written to the journal)
after running systemd in debug mode and having a look at the systemd debug log I had a wild guess that this is actually a systemd issue.
Running the same thing on a jessie/systemd 215 - works.
Sorry for the noise, and thanks for your help nonetheless!
-
Nusenu -
Zack Weinberg