This is really weird. When I try to start Tor for the second time, it outputs into Journal: wrz 19 22:50:40 pomiot tor[151908]: Sep 19 22:50:40.018 [notice] Tor 0.4.1.5 running on Linux with Libevent 2.1.11-stable, OpenSSL 1.1.1c, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd N/A. wrz 19 22:50:40 pomiot tor[151908]: Sep 19 22:50:40.018 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning wrz 19 22:50:40 pomiot tor[151908]: Sep 19 22:50:40.018 [notice] Read configuration file "/etc/tor/torrc". wrz 19 22:50:40 pomiot tor[151908]: Sep 19 22:50:40.040 [warn] Directory /var/lib/tor/ssh cannot be read: Permission denied wrz 19 22:50:40 pomiot tor[151908]: Sep 19 22:50:40.040 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details. Interesting enough, it created that directory in the previous run, and it's owned by tor:tor, u+rwx. This really makes no sense to me.
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE seems to be responsible for that. If I remove it, Tor starts fine.
I think the issue is that we're starting Tor as root but restricting its privileges. It tries to reads its own configuration before dropping privileges to 'tor' user but it doesn't have capability to read other user's files. I've been able to come up with two possible solutions: 1. Add CAP_DAC_READ_SEARCH to let it read other users files before changing user. 2. Set User in systemd service, and remove it from torrc. Then Tor will start as unprivileged user but it will at least have access to its own files. No clue if option 2. doesn't have any corner cases though.
(In reply to Michał Górny from comment #2) > 2. Set User in systemd service, and remove it from torrc. Then Tor will > start as unprivileged user but it will at least have access to its own files. This is what I'm currently using: [OVERRIDDEN] /etc/systemd/system/tor.service → /lib/systemd/system/tor.service --- /lib/systemd/system/tor.service 2019-10-10 12:50:16.422262877 +0200 +++ /etc/systemd/system/tor.service 2019-10-12 17:01:34.236049999 +0200 @@ -21,9 +21,9 @@ LimitNOFILE=32768 # Hardening -Group=tor +User=tor RuntimeDirectory=tor -RuntimeDirectoryMode=0770 +RuntimeDirectoryMode=0750 PrivateTmp=yes PrivateDevices=yes ProtectHome=yes This would allow settings like SocksPort unix:/var/run/tor/socks GroupWritable ControlPort unix:/var/run/tor/control GroupWritable without changing tor.service Those are the common paths expected by most applications: https://trac.torproject.org/projects/tor/wiki/doc/Tor_friendly_applications_best_practices#networkconfiguration