-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi,
tor will fail to startup with the current systemd service file [1] if your torrc makes use of the ControlSocket feature.
To work around the issue one has to additionally allow the following capabilities: CAP_DAC_OVERRIDE CAP_CHOWN since the socket file is create as root and then changed to the tor user (chown).
Is it possible to change this to not require CAP_DAC_OVERRIDE and CAP_CHOWN capabilities anymore?
thanks, Nusenu
[1] https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in#n 26
On Sun, 12 Apr 2015 12:46:26 +0000 Nusenu nusenu@openmailbox.org wrote:
tor will fail to startup with the current systemd service file [1] if your torrc makes use of the ControlSocket feature.
To work around the issue one has to additionally allow the following capabilities: CAP_DAC_OVERRIDE CAP_CHOWN since the socket file is create as root and then changed to the tor user (chown).
Is it possible to change this to not require CAP_DAC_OVERRIDE and CAP_CHOWN capabilities anymore?
I bet using the AF_UNIX SocksPort stuff will break as well, since the code is common. All of the listeners are launched before switching uid/gid and dropping privileges since it's common code.
The way to fix this would be to change retry_listener_ports and retry_all_listeners code to additionally allow only launching service ports (< 1024), and staging the listener launch process on config (re)load to something that looks like:
1. Launch listeners that require elevated priviledges (CAP_NET_BIND_SERVICE). 2. Drop priviledges and switch the uid/gid. 3. Launch the rest of the listeners, including all of the AF_UNIX based ones (as the runtime tor user, so neither privilege is required).
Patches accepted.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Thanks for the reply, I added a trac entry: https://bugs.torproject.org/15659