Opened 4 years ago

Last modified 3 years ago

#20930 new enhancement

Use new systemd hardening options

Reported by: serafean Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: systemd, packaging
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Using systemd 232, I discovered some more hardening options. This is my working systemd unit file.
I'd say the most interesting one is "PrivateUsers" and "PrivateDevices"
Note that I start tor directly as the tor user, listening on ports > 1024, because CAP_NET_BIND_SERVICE isn't enough to listen on ports < 1024.
Setting this capability is enough to start dnsmasq as non-root (listening on correct ports), so it is something within tor that breaks.
AFAIK setting these is safe even for older systems since systemd ignores unknown keywords.

Description=The Onion Router

ExecStartPre=/usr/bin/tor --verify-config -f /etc/tor/torrc
ExecStart=/usr/bin/tor  --RunAsDaemon 0 -f /etc/tor/torrc
ExecReload=/bin/kill -HUP $MAINPID

# Hardening options:
#CapabilityBoundingSet = CAP_NET_BIND_SERVICE
#AmbientCapabilities = CAP_NET_BIND_SERVICE
# Capabilities aren't enough to have ports < 1024
RuntimeDirectoryMode=0700 # Tor is happy with this default mask
PrivateTmp = yes
PrivateUsers = yes
ProtectKernelTunables = yes
ProtectControlGroups = yes
ProtectKernelModules = yes
PrivateDevices = yes
ProtectHome = yes
ProtectSystem = strict
NoNewPrivileges = yes


Child Tickets

Change History (9)

comment:1 Changed 4 years ago by weasel

Some of these look interesting for the Debian package as well. Opened #847477 about that.

comment:2 Changed 4 years ago by dgoulet

Component: - Select a componentCore Tor/Tor
Milestone: Tor: 0.3.???

comment:3 Changed 4 years ago by nickm

Keywords: tor-03-unspecified-201612 added
Milestone: Tor: 0.3.???Tor: unspecified

Finally admitting that 0.3.??? was a euphemism for Tor: unspecified all along.

comment:4 Changed 4 years ago by serafean

three more settings :

RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=yes #Available in systemd-233

Tor still starts and works with these set.

comment:5 Changed 4 years ago by candrews

With fedora expressing more interest in this type of hardening could this change be reviewed and applied?

Also, I really think Debian should use "contrib/dist/" instead of having and maintaining it's own systemd unit (of course it can / should patch the service for Debian specific needs, but the basis should be "contrib/dist/").

comment:6 Changed 3 years ago by nickm

Keywords: tor-03-unspecified-201612 removed

Remove an old triaging keyword.

comment:7 Changed 3 years ago by nickm

Keywords: systemd packaging added

comment:8 Changed 3 years ago by bundesgebaermutter

My relay also has syscall filtering applied. Works fine with 0.3.2 and high ports.

SystemCallFilter=~@clock @cpu-emulation @keyring @module @mount @privileged @raw-io

comment:9 Changed 3 years ago by teor

If we're going to merge this, we need a patch on the tor master branch systemd file at

If you want changes made to Debian, please use the Debian bug tracker at

Note: See TracTickets for help on using tickets.