Opened 3 years ago

Last modified 16 months ago

#20930 new enhancement

Use new systemd hardening options

Reported by: serafean Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: systemd, packaging
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Using systemd 232, I discovered some more hardening options. This is my working systemd unit file.
I'd say the most interesting one is "PrivateUsers" and "PrivateDevices"
Note that I start tor directly as the tor user, listening on ports > 1024, because CAP_NET_BIND_SERVICE isn't enough to listen on ports < 1024.
Setting this capability is enough to start dnsmasq as non-root (listening on correct ports), so it is something within tor that breaks.
AFAIK setting these is safe even for older systems since systemd ignores unknown keywords.

[Unit]
Description=The Onion Router
After=network-online.target

[Service]
User=tor
Group=tor
ExecStartPre=/usr/bin/tor --verify-config -f /etc/tor/torrc
ExecStart=/usr/bin/tor  --RunAsDaemon 0 -f /etc/tor/torrc
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGINT
TimeoutStopSec=32
LimitNOFILE=32768

# Hardening options:
#CapabilityBoundingSet = CAP_NET_BIND_SERVICE
#AmbientCapabilities = CAP_NET_BIND_SERVICE
# Capabilities aren't enough to have ports < 1024
RuntimeDirectory=tor
RuntimeDirectoryMode=0700 # Tor is happy with this default mask
ReadWriteDirectories=/var/lib/tor/
PrivateTmp = yes
PrivateUsers = yes
ProtectKernelTunables = yes
ProtectControlGroups = yes
ProtectKernelModules = yes
PrivateDevices = yes
ProtectHome = yes
ProtectSystem = strict
NoNewPrivileges = yes

[Install]
WantedBy=multi-user.target

Child Tickets

Change History (9)

comment:1 Changed 3 years ago by weasel

Some of these look interesting for the Debian package as well. Opened #847477 about that.

comment:2 Changed 3 years ago by dgoulet

Component: - Select a componentCore Tor/Tor
Milestone: Tor: 0.3.???

comment:3 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:4 Changed 3 years ago by serafean

three more settings :

RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
MemoryDenyWriteExecute=yes
RestrictNamespaces=yes #Available in systemd-233

Tor still starts and works with these set.

comment:5 Changed 2 years ago by candrews

With fedora expressing more interest in this type of hardening https://lwn.net/SubscriberLink/709755/a3b534d94fc57157/ could this change be reviewed and applied?

Also, I really think Debian should use "contrib/dist/tor.service.in" instead of having and maintaining it's own systemd unit (of course it can / should patch the service for Debian specific needs, but the basis should be "contrib/dist/tor.service.in").

comment:6 Changed 2 years ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:7 Changed 2 years ago by nickm

Keywords: systemd packaging added

comment:8 Changed 16 months ago by bundesgebaermutter

My relay also has syscall filtering applied. Works fine with 0.3.2 and high ports.

[Service]
SystemCallFilter=~@clock @cpu-emulation @keyring @module @mount @privileged @raw-io

comment:9 Changed 16 months ago by teor

Thanks!
If we're going to merge this, we need a patch on the tor master branch systemd file at https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in

If you want changes made to Debian, please use the Debian bug tracker at https://bugs.debian.org

Note: See TracTickets for help on using tickets.