Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-13T15:42:16Zhttps://gitlab.torproject.org/legacy/trac/-/issues/19762Tor systemd service should have ReadWriteDirectories=/var/run/tor2020-06-13T15:42:16ZTracTor systemd service should have ReadWriteDirectories=/var/run/torTor writes it's pidfile to /var/run/tor/tor.pid by default.
However, https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in specifies that all but 2 directories are read only. Therefore, when one starts tor using:
```
s...Tor writes it's pidfile to /var/run/tor/tor.pid by default.
However, https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in specifies that all but 2 directories are read only. Therefore, when one starts tor using:
```
systemctl start tor
```
using the default configuration, this error is logged in the journal:
```
Jul 26 22:42:32 irrational Tor[19048]: Unable to open "/var/run/tor/tor.pid" for writing: Read-only file system
```
and no pidfile is written.
Adding:
```
ReadWriteDirectories=-/var/run/tor
```
to the [Service] section fixes the problem.
**Trac**:
**Username**: candrewsTor: unspecifiedhttps://gitlab.torproject.org/legacy/trac/-/issues/19761Tor systemd service should have RuntimeDirectory=tor2020-06-13T15:42:16ZTracTor systemd service should have RuntimeDirectory=torTor writes it's pidfile to /var/run/tor/tor.pid by default. Therefore, the systemd configuration should create this directory with appropriate permissions by default.
In https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.servic...Tor writes it's pidfile to /var/run/tor/tor.pid by default. Therefore, the systemd configuration should create this directory with appropriate permissions by default.
In https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in there should be this line:
{{{
}}}
added to the [Service] section.
See the documentation at https://www.freedesktop.org/software/systemd/man/systemd.exec.html for more detail.
**Trac**:
**Username**: candrewsTor: unspecifiedhttps://gitlab.torproject.org/legacy/trac/-/issues/19759systemd tor.service hardening: add MemoryDenyWriteExecute=true2020-06-13T15:42:16ZTracsystemd tor.service hardening: add MemoryDenyWriteExecute=trueIn systemd 231, the MemoryDenyWriteExecute option was added:
A new service setting MemoryDenyWriteExecute= has been added, taking
a boolean value. If turned on, a service may no longer create memory
mapping...In systemd 231, the MemoryDenyWriteExecute option was added:
A new service setting MemoryDenyWriteExecute= has been added, taking
a boolean value. If turned on, a service may no longer create memory
mappings that are writable and executable at the same time. This
enhances security for services where this is enabled as it becomes
harder to dynamically write and then execute memory in exploited
service processes. This option has been enabled for all of systemd's
own long-running services.
https://lists.freedesktop.org/archives/systemd-devel/2016-July/037220.html
Can you please add:
```
MemoryDenyWriteExecute=true
```
to https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in in the [Service] section?
Note that systemd < 231 will simply ignore this unknown option so there is no backwards compatibility concern.
**Trac**:
**Username**: candrewsTor: unspecifiedhttps://gitlab.torproject.org/legacy/trac/-/issues/13805Improve hardening in tor.service2020-06-13T14:44:34ZTracImprove hardening in tor.serviceI suggest that tor.service's hardening implementation be changed. These lines would be replaced:
```
[Service]
DeviceAllow = /dev/null rw
DeviceAllow = /dev/urandom r
InaccessibleDirectories = /home
ReadOnlyDirectories = /
ReadWriteDirec...I suggest that tor.service's hardening implementation be changed. These lines would be replaced:
```
[Service]
DeviceAllow = /dev/null rw
DeviceAllow = /dev/urandom r
InaccessibleDirectories = /home
ReadOnlyDirectories = /
ReadWriteDirectories = /var/lib/tor
ReadWriteDirectories = /var/log/tor
ReadWriteDirectories = /var/run/tor
ReadWriteDirectories = /proc
```
With these lines:
```
PrivateDevices = yes
ProtectHome = yes
ProtectSystem = full
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID
```
Using PrivateDevices instead of DeviceAllow's is more secure as it create a totally separate /dev as well as removing the CAP_MKNOD capability.
ProtectHome makes /home inaccessible, equivalent to "InaccessibleDirectories = /home" but (arguably) more comprehensible.
ProtectSystem=full make /usr and /etc read only.
CapabilityBoundingSet reduces the process capability to just what it needs.
See http://www.freedesktop.org/software/systemd/man/systemd.exec.html
This discussion was started at https://bugs.gentoo.org/show_bug.cgi?id=529212 and the suggestion to use the higher level constructs was made by the Gentoo systemd team.
For historical reference, tor.service was added in #8368
**Trac**:
**Username**: candrewsTor: 0.2.6.x-final