I suggest that tor.service's hardening implementation be changed. These lines would be replaced: ``` [Service] DeviceAllow = /dev/null rw DeviceAllow = /dev/urandom r InaccessibleDirectories = /home ReadOnlyDirectories = / ReadWriteDirectories = /var/lib/tor ReadWriteDirectories = /var/log/tor ReadWriteDirectories = /var/run/tor ReadWriteDirectories = /proc ``` With these lines: ``` PrivateDevices = yes ProtectHome = yes ProtectSystem = full CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID ``` Using PrivateDevices instead of DeviceAllow's is more secure as it create a totally separate /dev as well as removing the CAP_MKNOD capability. ProtectHome makes /home inaccessible, equivalent to "InaccessibleDirectories = /home" but (arguably) more comprehensible. ProtectSystem=full make /usr and /etc read only. CapabilityBoundingSet reduces the process capability to just what it needs. See http://www.freedesktop.org/software/systemd/man/systemd.exec.html This discussion was started at https://bugs.gentoo.org/show_bug.cgi?id=529212 and the suggestion to use the higher level constructs was made by the Gentoo systemd team. For historical reference, tor.service was added in legacy/trac#8368 **Trac**: **Username**: candrews