From: Nick Mathewson Date: Mon, 20 Jul 2015 15:01:58 +0000 (-0400) Subject: Merge remote-tracking branch 'public/bug16162_026' X-Git-Tag: tor-0.2.7.2-alpha~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0a329a7a05199d3d0ec21e072f91a2213b8fc7b8;p=thirdparty%2Ftor.git Merge remote-tracking branch 'public/bug16162_026' --- 0a329a7a05199d3d0ec21e072f91a2213b8fc7b8 diff --cc contrib/dist/tor.service.in index ae339ff844,58a74b7fe7..9c1a255b2e --- a/contrib/dist/tor.service.in +++ b/contrib/dist/tor.service.in @@@ -1,35 -1,29 +1,35 @@@ +# tor.service -- this systemd configuration file for Tor sets up a +# relatively conservative, hardened Tor service. You may need to +# edit it if you are making changes to your Tor configuration that it +# does not allow. Package maintainers: this should be a starting point +# for your tor.service; it is not the last point. + [Unit] - Description = Anonymizing overlay network for TCP - After = syslog.target network.target nss-lookup.target + Description=Anonymizing overlay network for TCP + After=syslog.target network.target nss-lookup.target [Service] - Type = notify - NotifyAccess = all - ExecStartPre = @BINDIR@/tor -f @CONFDIR@/torrc --verify-config - ExecStart = @BINDIR@/tor -f @CONFDIR@/torrc - ExecReload = /bin/kill -HUP ${MAINPID} - KillSignal = SIGINT - TimeoutSec = 30 - Restart = on-failure - WatchdogSec = 1m - LimitNOFILE = 32768 + Type=notify + NotifyAccess=all + ExecStartPre=@BINDIR@/tor -f @CONFDIR@/torrc --verify-config + ExecStart=@BINDIR@/tor -f @CONFDIR@/torrc + ExecReload=/bin/kill -HUP ${MAINPID} + KillSignal=SIGINT + TimeoutSec=30 + Restart=on-failure + WatchdogSec=1m + LimitNOFILE=32768 # Hardening - PrivateTmp = yes - PrivateDevices = yes - ProtectHome = yes - ProtectSystem = full - ReadOnlyDirectories = / - ReadWriteDirectories = -@LOCALSTATEDIR@/lib/tor - ReadWriteDirectories = -@LOCALSTATEDIR@/log/tor - NoNewPrivileges = yes - CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE + PrivateTmp=yes + PrivateDevices=yes + ProtectHome=yes + ProtectSystem=full + ReadOnlyDirectories=/ + ReadWriteDirectories=-@LOCALSTATEDIR@/lib/tor + ReadWriteDirectories=-@LOCALSTATEDIR@/log/tor + NoNewPrivileges=yes + CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE [Install] - WantedBy = multi-user.target + WantedBy=multi-user.target