nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-09-20 21:16:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

systemd unit file: only allow tor to write to /var/lib/tor and /var/log/tor (#12751).

Browse Source 
The rest of the filesystem is accessible for reading only. Still, quoting
systemd.exec(5):

  Note that restricting access with these options does not extend to submounts
  of a directory that are created later on.
This commit is contained in:
intrigeri 2014-08-27 03:05:12 +00:00
parent b159ffb675
commit c9f30c4512
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
contrib/dist/tor.service.in vendored
View File

@ -19,6 +19,9 @@ PrivateTmp = yes
DeviceAllow = /dev/null rw DeviceAllow = /dev/null rw
DeviceAllow = /dev/urandom r DeviceAllow = /dev/urandom r
InaccessibleDirectories = /home InaccessibleDirectories = /home
ReadOnlyDirectories = /
ReadWriteDirectories = @LOCALSTATEDIR@/lib/tor
ReadWriteDirectories = @LOCALSTATEDIR@/log/tor
[Install] [Install]
WantedBy = multi-user.target WantedBy = multi-user.target