DataDirectory permissions are too restrictive when using CapabilityBoundingSet or SELinux
Directories created by Tor have 0700 and TorUser:TorUser permissions. Tor also checks the permissions again at runtime, reducing the permissions if they aren't 0700 and refusing to run if the directory UID and GID aren't both TorUser.
These precautions protect the security of the Tor files. However, the DataDirectory (ie, /var/lib/tor
) is unreadable by the root user. When Tor is started as root, it accesses the DataDirectory before dropping root permissions. Normally this wouldn't cause any problems, but there are two situations in which Tor is prevented from running:
-
If the systemd
CapabilityBoundingSet
option is set butCAP_READ_SEARCH
isn't listed, root is denied access to the DataDirectory. -
If SELinux is enabled but
tor_t
domain isn't alloweddac_read_search
permissions, root is denied access to the DataDirectory.
CAP_READ_SEARCH
and dac_read_search should be avoided; a process with these permissions can read arbitrary files regardless of DAC permissions. The solution proposed in this patch is to default to creating the DataDirectory with 0750 permissions, while also allowing the group to be either TorUser or root (but nobody else).
Also see: https://bugzilla.redhat.com/show_bug.cgi?id=1279222
I notice that Debian fixed this issue on Stretch/Sid by giving Tor CAP_DAC_OVERRIDE
, CAP_CHOWN
and CAP_FOWNER
. These dangerous capabilities are effectively equal to root, and kind of defeats the point of using CapabilityBoundingSet
in the first place. I've chosen different solution.
Trac:
Username: jamielinux