Description of problem: I'm currently implementing per-instance tor-user support for Fedora/EPEL where every tor instance is run with a distinct system user (Debian comes with that out of the box). Filesystem permissions and systemd hardening make it a bit hard on RPM based systems. Default permissions: drwxr-x---. 2 toranon root 4096 Jan 25 00:00 /var/lib/tor The change that is required is minimal, adding the following like to the service file would do it: ReadWriteDirectories=/var/lib/tor-instances (this is also the default per-instance datadir location on Debian) Optionally also: ReadWriteDirectories=/var/log/tor-instances Note: I don't want every tor-instance account become a toranon group member because that would allow them to do more than they should. /var/lib/tor-instances does not need to be created by the package. I'll create it as needed with root:root 0755 permissions. thanks! ref https://github.com/nusenu/ansible-relayor/issues/58
It doesn't make sense to add ReadWriteDirectories for a directory that isn't part of the Tor package. You can extend the Fedora service file using systemd snippets: http://www.freedesktop.org/software/systemd/man/systemd.unit.html#id-1.11.3