Commit Graph

19 Commits

Author SHA1 Message Date
Nick Mathewson
548b4be163 Forward-port changelog and releasenotes 2015-03-17 10:54:38 -04:00
Nick Mathewson
0f628d6560 Added a comment to tor.service.in
This explains that if you change your torrc to do more, you might
need to change tor.service.in to allow it.  See #15195.
2015-03-12 13:11:53 -04:00
Nick Mathewson
2dac77c041 Actually remove LOCALSTATEDIR@/run/tor line from tor.service.in 2015-01-11 20:49:19 -05:00
Nick Mathewson
96a407a243 systemd changes for 13805 as recommened by Tomasz on that ticket. 2015-01-11 11:26:08 -05:00
Nick Mathewson
c98e075ebc Merge remote-tracking branch 'candrews/issue13805' 2015-01-11 11:24:48 -05:00
Tomasz Torcz
a8999acc3b fix and enable systemd watchdog
There were following problems:
  - configure.ac wrongly checked for defined HAVE_SYSTEMD; this
    wasn't working, so the watchdog code was not compiled in.
    Replace library search with explicit version check
  - sd_notify() watchdog call was unsetting NOTIFY_SOCKET from env;
    this means only first "watchdog ping" was delivered, each
    subsequent one did not have socket to be sent to and systemd
    was killing service
  - after those fixes, enable Watchdog in systemd unit with one
    minute intervals
2015-01-11 11:14:32 -05:00
Tomasz Torcz
b17918726d send PID of the main daemon to supervisor
If running under systemd, notify the supervisor about current PID
of Tor daemon.  This makes systemd unit simpler and more robust:
it will do the right thing regardless of RunAsDaemon settings.
2015-01-11 11:14:08 -05:00
Craig Andrews
5bdf12ca8a Add ProtectSystem = full
See 13805
2014-11-28 12:41:23 -05:00
Craig Andrews
0c73bcd3ba Prefix ReadWriteDirectories with a "-" so if they don't exist it's not an error
See 13805
2014-11-28 12:38:40 -05:00
Craig Andrews
9c933b3635 Use ProtectHome instead of InaccessibleDirectories
See 13805
2014-11-28 12:36:56 -05:00
Craig Andrews
1ac3b74405 Use PrivateDevices instead of DeviceAllow
See 13805
2014-11-28 12:36:17 -05:00
intrigeri
da384090f7 systemd unit file: set up /var/run/tor as writable for the Tor service.
For some strange reason, this was not needed with systemd v208.
But it's needed with systemd v215 on current Debian sid, and entirely
makes sense.
2014-09-19 16:10:39 +00:00
Nick Mathewson
54348201f7 Merge remote-tracking branch 'intrigeri/bug12939-systemd-no-new-privileges'
Conflicts:
	contrib/dist/tor.service.in
2014-09-03 13:29:43 -04:00
intrigeri
b4170421cc systemd unit file: ensures that the process and all its children can never gain
new privileges (#12939).
2014-08-27 03:18:26 +00:00
intrigeri
c9f30c4512 systemd unit file: only allow tor to write to /var/lib/tor and /var/log/tor (#12751).
The rest of the filesystem is accessible for reading only. Still, quoting
systemd.exec(5):

  Note that restricting access with these options does not extend to submounts
  of a directory that are created later on.
2014-08-27 03:13:53 +00:00
Nick Mathewson
74a8555d2b Merge remote-tracking branch 'intrigeri/bug12731-systemd-no-run-as-daemon' into maint-0.2.5
Conflicts:
	contrib/dist/tor.service.in
2014-07-30 14:00:21 -04:00
intrigeri
0a70579784 Verify configuration file via ExecStartPre in the systemd unit file (#12730). 2014-07-30 16:56:55 +00:00
intrigeri
8b470ee4b5 Explicitly disable RunAsDaemon in the systemd unit file (#12731).
Our current systemd unit uses "Type = simple", so systemd does not expect tor to
fork. If the user has "RunAsDaemon 1" in their torrc, then things won't work as
expected. This is e.g. the case on Debian (and derivatives), since there we pass
"--defaults-torrc /usr/share/tor/tor-service-defaults-torrc" (that contains
"RunAsDaemon 1") by default.

The only solution I could find is to explicitly pass "--RunAsDaemon 0" when
starting tor from the systemd unit file, which this commit does.
2014-07-30 16:54:07 +00:00
Nick Mathewson
cae6388053 Put tor.service in the right place, and autoconfify it
This closes 8368.
2014-04-29 13:17:30 -04:00