Summary: | net-vpn/tor: can't read its own files when run via systemd service | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Michał Górny <mgorny> |
Component: | Current packages | Assignee: | John Helmert III <ajak> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | bertrand, poncho, sam |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://github.com/gentoo/gentoo/pull/26430 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Michał Górny
2019-09-19 20:53:55 UTC
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE seems to be responsible for that. If I remove it, Tor starts fine. I think the issue is that we're starting Tor as root but restricting its privileges. It tries to reads its own configuration before dropping privileges to 'tor' user but it doesn't have capability to read other user's files. I've been able to come up with two possible solutions: 1. Add CAP_DAC_READ_SEARCH to let it read other users files before changing user. 2. Set User in systemd service, and remove it from torrc. Then Tor will start as unprivileged user but it will at least have access to its own files. No clue if option 2. doesn't have any corner cases though. (In reply to Michał Górny from comment #2) > 2. Set User in systemd service, and remove it from torrc. Then Tor will > start as unprivileged user but it will at least have access to its own files. This is what I'm currently using: [OVERRIDDEN] /etc/systemd/system/tor.service → /lib/systemd/system/tor.service --- /lib/systemd/system/tor.service 2019-10-10 12:50:16.422262877 +0200 +++ /etc/systemd/system/tor.service 2019-10-12 17:01:34.236049999 +0200 @@ -21,9 +21,9 @@ LimitNOFILE=32768 # Hardening -Group=tor +User=tor RuntimeDirectory=tor -RuntimeDirectoryMode=0770 +RuntimeDirectoryMode=0750 PrivateTmp=yes PrivateDevices=yes ProtectHome=yes This would allow settings like SocksPort unix:/var/run/tor/socks GroupWritable ControlPort unix:/var/run/tor/control GroupWritable without changing tor.service Those are the common paths expected by most applications: https://trac.torproject.org/projects/tor/wiki/doc/Tor_friendly_applications_best_practices#networkconfiguration |