Re-add CAP_DAC_OVERRIDE to the CapabilityBoundingSet.

Tor checks properties of hidden service directories as root before changing its UID to debian-tor, and those trees are owned by debian-tor and go-rwx (closes: #847598).

Re-add CAP_DAC_OVERRIDE to the CapabilityBoundingSet.
0b33e38e · Peter Palfrader · bd8c7b0d · 0b33e38e · 0b33e38e · 0b33e38e
Commit 0b33e38e authored 8 years ago by Peter Palfrader
--- a/debian/changelog
+++ b/debian/changelog
+tor (0.2.8.11-2) unstable; urgency=medium
+
+  * Re-add CAP_DAC_OVERRIDE to the CapabilityBoundingSet.  Tor checks
+    properties of hidden service directories as root before changing its UID
+    to debian-tor, and those trees are owned by debian-tor and go-rwx
+    (closes: #847598).
+
+ -- Peter Palfrader <weasel@debian.org>  Fri, 09 Dec 2016 19:23:24 +0100
+
 tor (0.2.8.11-1) unstable; urgency=medium

  * New upstream version.

--- a/debian/systemd/tor@.service
+++ b/debian/systemd/tor@.service
@@ -29,7 +29,7 @@ ProtectSystem=full
 ReadOnlyDirectories=/
 ReadWriteDirectories=-/var/lib/tor-instances
 ReadWriteDirectories=-/var/run
-CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE

 [Install]
 WantedBy=multi-user.target
--- a/debian/systemd/tor@default.service
+++ b/debian/systemd/tor@default.service
@@ -31,4 +31,4 @@ ReadWriteDirectories=-/proc
 ReadWriteDirectories=-/var/lib/tor
 ReadWriteDirectories=-/var/log/tor
 ReadWriteDirectories=-/var/run
-CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE