Bug 1301718 - allow setup with per-instance tor users (minimal change required)
allow setup with per-instance tor users (minimal change required)
Product: Fedora
Classification: Fedora
Component: tor (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jamie Nguyen
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2016-01-25 14:38 EST by nusenu
Modified: 2016-01-25 15:06 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-01-25 15:06:25 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description nusenu 2016-01-25 14:38:17 EST
Description of problem:
I'm currently implementing per-instance tor-user support for Fedora/EPEL where every tor instance is run with a distinct system user (Debian comes with that out of the box).

Filesystem permissions and systemd hardening make it a bit hard on RPM based systems.
Default permissions:
drwxr-x---. 2 toranon root 4096 Jan 25 00:00 /var/lib/tor

The change that is required is minimal, adding the following like to the service file would do it: 

(this is also the default per-instance datadir location on Debian)

Optionally also:

Note: I don't want every tor-instance account become a toranon group member because that would allow them to do more than they should.

/var/lib/tor-instances does not need to be created by the package.
I'll create it as needed with root:root 0755 permissions.


Comment 1 Jamie Nguyen 2016-01-25 15:06:25 EST
It doesn't make sense to add ReadWriteDirectories for a directory that isn't part of the Tor package.

You can extend the Fedora service file using systemd snippets:

Note You need to log in before you can comment on or make changes to this bug.