-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
'systemctl reload tor' fails due to hardening restrictions in tor's systemd service file [1]:
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
Removing that line "solves" the reload issue. Reloading with that line does not generate any tor debug loglines.
What capability would one have to add to the list to make it work with CapabilityBoundingSet?
thanks, Nusenu
testing with: tor 0.2.6.4, jessie/systemd 215
[1] https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in#n26
On Wed, Mar 18, 2015 at 6:15 AM, Nusenu nusenu@openmailbox.org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
'systemctl reload tor' fails due to hardening restrictions in tor's systemd service file [1]:
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
Removing that line "solves" the reload issue. Reloading with that line does not generate any tor debug loglines.
What capability would one have to add to the list to make it work with CapabilityBoundingSet?
It probably depends on what's in your configuration. My first guess on how to find out would be to look to see if you can possibly use strace or gdb or something to figure out what system call is failing. You might need to temporarily add DisableDebuggerAttachment 0 to your configuration file to allow you to attach a debugger.
cheers,
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi Nick,
thanks for your answer.
What capability would one have to add to the list to make it work with CapabilityBoundingSet?
It probably depends on what's in your configuration.
torrc file while testing:
User debian-tor DataDirectory /var/lib/tor Log debug file /var/log/tor/log RunAsDaemon 1 DisableDebuggerAttachment 0
My first guess on how to find out would be to look to see if you can possibly use strace or gdb or something to figure out what system call is failing.
strace output when I trigger the reload via systemctl:
2362 epoll_wait(3, 7f105298a7f0, 32, 99) = -1 EINTR (Interrupted system call) 2362 --- SIGINT {si_signo=SIGINT, si_code=SI_USER, si_pid=1, si_uid=0} --- 2362 sendto(4, 0x7fffe6bcbf57, 1, 0, NULL, 0) = 1 2362 rt_sigreturn() = -1 EINTR (Interrupted system call) 2362 --- SIGCONT {si_signo=SIGCONT, si_code=SI_USER, si_pid=1, si_uid=0} --- 2362 epoll_wait(3, {?} 0x7f105298a7f0, 32, 54) = 1 2362 recvfrom(5, 0x7f10514bb500, 1024, 0, NULL, NULL) = 1 2362 recvfrom(5, 0x7f10514bb500, 1024, 0, 0, 0) = -1 EAGAIN (Resource temporarily unavailable) 2362 write(7, 0x7fffe6bc9a40, 57) = 57 2362 open(0x7f10529933e0, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0600) = 10 2362 write(10, 0x7f105379ac10, 3662) = 3662 2362 close(10) = 0 2362 write(7, 0x7fffe6bc98c0, 96) = 96 2362 rename(0x7f10529933e0, 0x7f1052993200) = 0 2362 write(7, 0x7fffe6bc99c0, 80) = 80 2362 munmap(0x7f1051a06000, 1052672) = 0 2362 write(7, 0x7fffe6bc99c0, 82) = 82 2362 write(7, 0x7fffe6bc99f0, 84) = 84
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
strace output when I trigger the reload via systemctl:
[...]
sorry that output was actually not caused by the systemctl reload command, using strace I just found out that tor exits on its own and gets restarted by systemd's watchdog... ok more fun to debug systemd hardening ;)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
'systemctl reload tor' fails due to hardening restrictions in tor's systemd service file [1]:
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
This configuration restricts not only the service (tor) but also the ExecReload commands (kill), so the somewhat obvious fix was to add "CAP_KILL".
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
so the somewhat obvious fix was to add "CAP_KILL".
after reading:
man capabilities:
Bypass permission checks for sending signals (see kill(2)). This includes use of the ioctl(2) KDSIGACCEPT operation.
I'm not entirely sure since that sounds like tor will be able to kill arbitrary processes.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
just for the record:
'systemctl reload tor' fails due to hardening restrictions in tor's systemd service file [1]:
CapabilityBoundingSet = CAP_SETUID CAP_SETGID ...
The proper 'fix' is: PermissionsStartOnly=yes
REF: http://lists.freedesktop.org/archives/systemd-devel/2015-April/030404.html http://www.freedesktop.org/software/systemd/man/systemd.service.html#Permiss...
-
Nick Mathewson -
Nusenu -
nusenu