Red Hat Bugzilla – Bug 1301718
allow setup with per-instance tor users (minimal change required)
Last modified: 2016-01-25 15:06:25 EST
Description of problem:
I'm currently implementing per-instance tor-user support for Fedora/EPEL where every tor instance is run with a distinct system user (Debian comes with that out of the box).
Filesystem permissions and systemd hardening make it a bit hard on RPM based systems.
drwxr-x---. 2 toranon root 4096 Jan 25 00:00 /var/lib/tor
The change that is required is minimal, adding the following like to the service file would do it:
(this is also the default per-instance datadir location on Debian)
Note: I don't want every tor-instance account become a toranon group member because that would allow them to do more than they should.
/var/lib/tor-instances does not need to be created by the package.
I'll create it as needed with root:root 0755 permissions.
It doesn't make sense to add ReadWriteDirectories for a directory that isn't part of the Tor package.
You can extend the Fedora service file using systemd snippets: