-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
just for the record:
'systemctl reload tor' fails due to hardening restrictions in tor's
systemd service file [1]:
CapabilityBoundingSet = CAP_SETUID CAP_SETGID ...
The proper 'fix' is:
PermissionsStartOnly=yes
REF:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
'systemctl reload tor'
fails due to hardening restrictions in tor's systemd service file [1]:
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
Removing that line solves the reload issue.
Reloading with that line does not
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi Nick,
thanks for your answer.
What capability would one have to add to the list to make it work
with CapabilityBoundingSet?
It probably depends on what's in your configuration.
torrc file while testing:
User debian-tor
DataDirectory
On Wed, Mar 18, 2015 at 6:15 AM, Nusenu nus...@openmailbox.org wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Hi,
'systemctl reload tor'
fails due to hardening restrictions in tor's systemd service file [1]:
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
so the somewhat obvious fix was to add CAP_KILL.
after reading:
man capabilities:
Bypass permission checks for sending signals (see kill(2)). This
includes use of the ioctl(2) KDSIGACCEPT operation.
I'm not entirely sure since that sounds
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
'systemctl reload tor' fails due to hardening restrictions in tor's
systemd service file [1]:
CapabilityBoundingSet = CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE
This configuration restricts not only the service (tor) but also the
ExecReload
