On Thu, Jun 22, 2017 at 07:30:11AM +0000, Peter Palfrader wrote:
> On Wed, 21 Jun 2017, David Fifield wrote:
>
> > Package: tor
> > Version: 0.2.9.10-1
> > Severity: normal
> >
> > I'm trying to have a server transport plugin listen on a port <1024. In
> > the past, it has worked to set CAP_NET_BIND_SERVICE on the pluggable
> > transport binary (e.g. /usr/bin/obfs4proxy). But that no longer works
> > with the Debian tor packages; the transport binary gets a "permission
> > denied" error trying to bind to the port. Bisection suggests that it
> > stopped working in tor_0.2.7.4-rc-1.
>
> Does it start working again if you add CAP_NET_BIND_SERVICE to the
> CapabilityBoundingSet in the tor@default.service (or tor@.service)
> systemd unit file?
CAP_NET_BIND_SERVICE is already present in the CapabilityBoundingSet of
both tor@default.service and tor@.service.
I tried adding it to the [Service] section of tor.service, and that
didn't work. I'm using the default tor instance (i.e. not one created
with tor-instance-create). I'm using the main debian.org tor package
(which don't have tor-instance-create), not the deb.torproject.org one.
==> /lib/systemd/system/tor.service <==
# This service is actually a systemd target,
# but we are using a service since targets cannot be reloaded.
[Unit]
Description=Anonymizing overlay network for TCP (multi-instance-master)
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
[Install]
WantedBy=multi-user.target
==> /lib/systemd/system/tor@.service <==
[Unit]
Description=Anonymizing overlay network for TCP (instance %i)
After=network.target nss-lookup.target
PartOf=tor.service
ReloadPropagatedFrom=tor.service
[Service]
Type=notify
NotifyAccess=all
PIDFile=/var/run/tor-instances/%i/tor.pid
PermissionsStartOnly=yes
ExecStartPre=/usr/bin/install -Z -m 02755 -o _tor-%i -g _tor-%i -d
/var/run/tor-instances/%i
ExecStartPre=/bin/sed -e 's/@@NAME@@/%i/g; w
/var/run/tor-instances/%i.defaults'
/usr/share/tor/tor-service-defaults-torrc-instances
ExecStartPre=/usr/bin/tor --defaults-torrc /var/run/tor-instances/%i.defaults
-f /etc/tor/instances/%i/torrc --verify-config
ExecStart=/usr/bin/tor --defaults-torrc /var/run/tor-instances/%i.defaults -f
/etc/tor/instances/%i/torrc
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutStartSec=300
TimeoutStopSec=60
Restart=on-failure
LimitNOFILE=65536
# Hardening
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
# We would really like to restrict the next item to [..]/%i but we can't,
# as systemd does not support that yet. See also #781730.
ReadWriteDirectories=-/var/lib/tor-instances
ReadWriteDirectories=-/var/run
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
CAP_DAC_OVERRIDE
[Install]
WantedBy=multi-user.target
==> /lib/systemd/system/tor@default.service <==
[Unit]
Description=Anonymizing overlay network for TCP
After=network.target nss-lookup.target
PartOf=tor.service
ReloadPropagatedFrom=tor.service
[Service]
Type=notify
NotifyAccess=all
PIDFile=/var/run/tor/tor.pid
PermissionsStartOnly=yes
ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d
/var/run/tor
ExecStartPre=/usr/bin/tor --defaults-torrc
/usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
--verify-config
ExecStart=/usr/bin/tor --defaults-torrc
/usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutStartSec=300
TimeoutStopSec=60
Restart=on-failure
LimitNOFILE=65536
# Hardening
AppArmorProfile=system_tor
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
ReadWriteDirectories=-/var/run
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
CAP_DAC_OVERRIDE
