Debian Bug report logs - #847477
more systemd protection stuff

Package: tor; Maintainer for tor is Peter Palfrader <weasel@debian.org>; Source for tor is src:tor (PTS, buildd, popcon).

Reported by: Peter Palfrader <weasel@debian.org>

Date: Thu, 8 Dec 2016 15:21:02 UTC

Severity: normal

Found in versions tor/0.2.8.9-1, tor/0.2.9.8-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#847477; Package tor. (Thu, 08 Dec 2016 15:21:04 GMT) (full text, mbox, link).

Acknowledgement sent to Peter Palfrader <weasel@debian.org>:
New Bug report received and forwarded. (Thu, 08 Dec 2016 15:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: tor
Version: 0.2.8.9-1

https://bugs.torproject.org/20930 lists a few more items we might
consider adding to our systemd service file.  Things like PrivateUsers
etc.

Evaluate.
-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#847477; Package tor. (Wed, 04 Jan 2017 09:15:10 GMT) (full text, mbox, link).

Acknowledgement sent to Peter Palfrader <weasel@debian.org>:
Extra info received and forwarded to list. (Wed, 04 Jan 2017 09:15:10 GMT) (full text, mbox, link).

Message #10 received at 847477@bugs.debian.org (full text, mbox, reply):

On Wed, 04 Jan 2017, Laurent Bigonville wrote:

> reopen 800385

Don't, let's take it to #847477.

> >># Hardening
> >>AppArmorProfile=system_tor
> >>NoNewPrivileges=yes
> >>PrivateTmp=yes
> >>PrivateDevices=yes
> >>ProtectHome=yes
> >>ProtectControlGroups=yes #added
> >>ProtectKernelTunables=yes #added
> >Maybe.
> >
> >>#ProtectSystem=full
> >>ProtectSystem=strict
> >Maybe.  That's new in sid/testing.
> >
> >>#ReadOnlyDirectories=/
> 
> I understand better why you choose the ReadOnlyDirectories=/ instead of
> ProtectSystem=strict now
> 
> >>#ReadWriteDirectories=-/proc
> >Maybe.
> >
> >>ReadWriteDirectories=-/var/lib/tor
> >>ReadWriteDirectories=-/var/log/tor
> >>#ReadWriteDirectories=-/var/run
> >>ReadWriteDirectories=-/var/run/tor
> >Can we still create the directory if it isn't there yet?
> 
> Yes it's working, if I'm commenting it out completely the daemon fails. I
> think that it only apply to the main process and not the Pre one (maybe?)

Does it also work if /var/run/tor is *not* there yet when you try to
start the service?  At least at some point in history the Pre commands
were subject to the same restrictions.

> >>#CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE
> >>CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
> >No, that breaks hidden services.  See https://bugs.debian.org/847598
> 
> I see. Do you know what were the owner/group of /var/lib/tor/hidden_service/
> in that bug?

They were debian-tor:, go-rwx, but the check is run when tor is still
root, thus DAC_OVERRIDE is required.

> >>torify wget http://www.perdu.com returns the expected content
> >I think other useful tests would be
> >  - can Tor start when a hidden service is configured?
> >  - can Hidden services read/write to backend sockets in
> >    /var/lib/tor-onion-sockets/?
> >  - does transparent proxying still work (TransPort)?
> >  - can we log to syslog?
> 
> I'll try to see when I can test that. Don't expect a reply tomorrow though.
> 
> For the syslog part, I see stuffs being logged in journald, so it's OK I
> guess.

Don't guess, test :)

-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/

Information forwarded to debian-bugs-dist@lists.debian.org, Peter Palfrader <weasel@debian.org>:
Bug#847477; Package tor. (Wed, 04 Jan 2017 09:33:03 GMT) (full text, mbox, link).

Acknowledgement sent to Laurent Bigonville <bigon@debian.org>:
Extra info received and forwarded to list. Copy sent to Peter Palfrader <weasel@debian.org>. (Wed, 04 Jan 2017 09:33:03 GMT) (full text, mbox, link).

Message #15 received at 847477@bugs.debian.org (full text, mbox, reply):

Le 04/01/17 à 10:13, Peter Palfrader a écrit :
> On Wed, 04 Jan 2017, Laurent Bigonville wrote:
>
>>
>>>> ReadWriteDirectories=-/var/lib/tor
>>>> ReadWriteDirectories=-/var/log/tor
>>>> #ReadWriteDirectories=-/var/run
>>>> ReadWriteDirectories=-/var/run/tor
>>> Can we still create the directory if it isn't there yet?
>> Yes it's working, if I'm commenting it out completely the daemon fails. I
>> think that it only apply to the main process and not the Pre one (maybe?)
> Does it also work if /var/run/tor is *not* there yet when you try to
> start the service?  At least at some point in history the Pre commands
> were subject to the same restrictions.

Yes I tried that, deleting the /var/run/tor directory completely and 
then restarting the service and the directory is created. A side note is 
that we should maybe use a tmpfiles config here, that way is more 
"systemd'ish" and then we are sure the directory is created at boot.
>>>> #CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE
>>>> CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
>>> No, that breaks hidden services.  See https://bugs.debian.org/847598
>> I see. Do you know what were the owner/group of /var/lib/tor/hidden_service/
>> in that bug?
> They were debian-tor:, go-rwx, but the check is run when tor is still
> root, thus DAC_OVERRIDE is required.

OK

>
>>>> torify wget http://www.perdu.com returns the expected content
>>> I think other useful tests would be
>>>   - can Tor start when a hidden service is configured?
>>>   - can Hidden services read/write to backend sockets in
>>>     /var/lib/tor-onion-sockets/?
>>>   - does transparent proxying still work (TransPort)?
>>>   - can we log to syslog?
>> I'll try to see when I can test that. Don't expect a reply tomorrow though.
>>
>> For the syslog part, I see stuffs being logged in journald, so it's OK I
>> guess.
> Don't guess, test :)
>

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#847477; Package tor. (Wed, 04 Jan 2017 09:42:03 GMT) (full text, mbox, link).

Acknowledgement sent to Peter Palfrader <weasel@debian.org>:
Extra info received and forwarded to list. (Wed, 04 Jan 2017 09:42:03 GMT) (full text, mbox, link).

Message #20 received at 847477@bugs.debian.org (full text, mbox, reply):

On Wed, 04 Jan 2017, Laurent Bigonville wrote:

> Yes I tried that, deleting the /var/run/tor directory completely and then
> restarting the service and the directory is created. A side note is that we
> should maybe use a tmpfiles config here, that way is more "systemd'ish" and
> then we are sure the directory is created at boot.

Works for me.


-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/

Marked as found in versions tor/0.2.9.8-1. Request was from Peter Palfrader <weasel@debian.org> to control@bugs.debian.org. (Mon, 28 Aug 2017 17:33:05 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Nov 2 01:36:11 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #847477 more systemd protection stuff

Debian Bug report logs - #847477
more systemd protection stuff