Opened 5 years ago

Closed 2 years ago

#15195 closed defect (fixed)

systemd service doesn't work with ControlSocket

Reported by: poncho Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version: Tor: 0.2.6.3-alpha
Severity: Normal Keywords:
Cc: candrews@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

systemd[1]: Starting Anonymizing overlay network for TCP...
tor[7288]: Mar 09 09:55:22.363 [notice] Tor v0.2.6.3-alpha (git-7df7e8d71d7afc42) running on Linux with Libevent 2.0.22-stable, OpenSSL 1.0
tor[7288]: Mar 09 09:55:22.363 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download
tor[7288]: Mar 09 09:55:22.363 [notice] This version is not a stable Tor release. Expect more bugs than usual.
tor[7288]: Mar 09 09:55:22.363 [notice] Read configuration file "/etc/tor/torrc".
tor[7288]: Mar 09 09:55:22.365 [notice] Caching new entry tor for tor
tor[7288]: Mar 09 09:55:22.365 [notice] Caching new entry tor for tor
tor[7288]: Mar 09 09:55:22.365 [notice] Not disabling debugger attaching for unprivileged users.
tor[7288]: Configuration was valid
tor[7291]: Mar 09 09:55:22.740 [notice] Tor v0.2.6.3-alpha (git-7df7e8d71d7afc42) running on Linux with Libevent 2.0.22-stable, OpenSSL 1.0
tor[7291]: Mar 09 09:55:22.740 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download
tor[7291]: Mar 09 09:55:22.740 [notice] This version is not a stable Tor release. Expect more bugs than usual.
tor[7291]: Mar 09 09:55:22.740 [notice] Read configuration file "/etc/tor/torrc".
tor[7291]: Mar 09 09:55:22.742 [notice] Opening Socks listener on 127.0.0.1:9050
tor[7291]: Mar 09 09:55:22.742 [notice] Caching new entry tor for tor
tor[7291]: Mar 09 09:55:22.742 [notice] Opening Control listener on /var/run/tor/control
tor[7291]: Mar 09 09:55:22.742 [warn] Could not unlink /var/run/tor/control: Permission denied
tor[7291]: Mar 09 09:55:22.742 [notice] Closing partially-constructed Socks listener on 127.0.0.1:9050
tor[7291]: Mar 09 09:55:22.742 [notice] Closing partially-constructed Socks listener on 127.0.0.1:9150
tor[7291]: Mar 09 09:55:22.742 [warn] Failed to parse/validate config: Failed to bind one of the listener ports.
tor[7291]: Mar 09 09:55:22.742 [err] Reading config failed--see warnings above.
systemd[1]: tor.service: main process exited, code=exited, status=255/n/a

To make it work, I need to add
ReadWriteDirectories = -/var/run/tor
and
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER
(the additional capabilities are CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER)

Child Tickets

Change History (17)

comment:1 Changed 5 years ago by poncho

Component: - Select a componentTor

comment:2 Changed 5 years ago by nickm

Milestone: Tor: 0.2.6.x-final

Hmmm. I think it's to be expected that if you enable or disable more things in your torrc, you would need to edit the systemd file accordingly.

I think the best thing to do here is to add some comments to the systemd file explaining this?

comment:3 Changed 5 years ago by candrews

Cc: candrews@… added

comment:4 Changed 5 years ago by nickm

Milestone: Tor: 0.2.6.x-finalTor: 0.2.7.x-final

Added a comment to tor.service.in in 0.2.7. Improvements to comment welcome.

comment:5 Changed 5 years ago by poncho

Well, figuring out the capabilities is kind of difficult...
see also: https://lists.torproject.org/pipermail/tor-dev/2015-March/008474.html

comment:6 Changed 5 years ago by nickm

Status: newassigned

comment:7 Changed 5 years ago by nickm

Keywords: 027-triaged-1-out added

Marking triaged-out items from first round of 0.2.7 triage.

comment:8 Changed 5 years ago by nickm

Milestone: Tor: 0.2.7.x-finalTor: 0.2.???

Make all non-needs_review, non-needs_revision, 027-triaged-1-out items belong to 0.2.???

comment:9 Changed 4 years ago by intrigeri

FWIW, on Debian we have:

CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER

... and tor starts fine with ControlSocket enabled.

comment:10 Changed 3 years ago by teor

Milestone: Tor: 0.2.???Tor: 0.3.???

Milestone renamed

comment:11 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:12 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:13 Changed 3 years ago by nickm

Keywords: 027-triaged-in added

comment:14 Changed 3 years ago by nickm

Keywords: 027-triaged-in removed

comment:15 Changed 3 years ago by nickm

Keywords: 027-triaged-1-out removed

comment:16 Changed 3 years ago by nickm

Status: assignednew

Change the status of all assigned/accepted Tor tickets with owner="" to "new".

comment:17 Changed 2 years ago by teor

Resolution: fixed
Severity: Normal
Status: newclosed

Using systemd and the control socket works in recent Debian versions.

Note: See TracTickets for help on using tickets.