From: intrigeri Date: Wed, 27 Aug 2014 03:05:12 +0000 (+0000) Subject: systemd unit file: only allow tor to write to /var/lib/tor and /var/log/tor (#12751). X-Git-Tag: tor-0.2.6.1-alpha~155^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9f30c4512fa6409eaf829c8448c8e086271c94f;p=thirdparty%2Ftor.git systemd unit file: only allow tor to write to /var/lib/tor and /var/log/tor (#12751). The rest of the filesystem is accessible for reading only. Still, quoting systemd.exec(5): Note that restricting access with these options does not extend to submounts of a directory that are created later on. --- diff --git a/contrib/dist/tor.service.in b/contrib/dist/tor.service.in index 2fe51c75d9..8c70ccc6e3 100644 --- a/contrib/dist/tor.service.in +++ b/contrib/dist/tor.service.in @@ -19,6 +19,9 @@ PrivateTmp = yes DeviceAllow = /dev/null rw DeviceAllow = /dev/urandom r InaccessibleDirectories = /home +ReadOnlyDirectories = / +ReadWriteDirectories = @LOCALSTATEDIR@/lib/tor +ReadWriteDirectories = @LOCALSTATEDIR@/log/tor [Install] WantedBy = multi-user.target