Red Hat Bugzilla – Bug 1268610
Can we please get rid of the NoNewPrivs=yes
Last modified: 2015-10-03 15:04:48 EDT
Description of problem:
Since recently tor.service added some new systemd "security" features. One of which is "NoNewPrivs". This "security" feature actually adds more insecurity than security.
This is because by using NoNewPrivs, systemd effectivly needs all the privileges that the bounded child has. So in other words everything tor must be able to do, systemd must be able to do as well.
This degrades systemds' integrity and is uncontrolable
Please removed it, as it sets a bad precedent.
Side note: Is PrivateTmp= really needed? In which scenario does tor use /tmp?
Similar to that, Why is PrivateDevices= used. The only object tor has any business with in /dev is the /dev/log symlink.
Fedora has far superior security with SELinux than these systemd "security" features. In effect using these features make things less security because extra permission must be granted...
Could you please take it to the Tor upstream?
Why? This is Fedora specific. It is fedoras' tor.service unit and Fedora has superior security feature with which these features interfere
No, Fedora's package use upstream unit; see this: https://gitweb.torproject.org/tor.git/tree/contrib/dist/tor.service.in
With NoNewPrivileges=yes, SELinux does not perform the appropriate transition. Note that this is a Linux kernel feature, not a systemd feature.
> Be careful, though: LSMs might also not tighten constraints on exec
> in no_new_privs mode. (This means that setting up a general-purpose
> service launcher to set no_new_privs before execing daemons may
> interfere with LSM-based sandboxing.)
I was unfortunately unaware of this limitation, and it does appear that tor runs as init_t instead of tor_t when NoNewPrivileges=yes is set. Thus, I'll remove NoNewPrivileges, but not for the reasons you stated.
Whatever... that transition issue is a symptom of what i described.. its not transitioning because systemd does not have all the permissions, that tor has
NoNewPrivileges doesn't work the way you think it does.