mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-20 02:09:24 +01:00
systemd unit file: only allow tor to write to /var/lib/tor and /var/log/tor (#12751).
The rest of the filesystem is accessible for reading only. Still, quoting systemd.exec(5): Note that restricting access with these options does not extend to submounts of a directory that are created later on.
This commit is contained in:
parent
b159ffb675
commit
c9f30c4512
3
contrib/dist/tor.service.in
vendored
3
contrib/dist/tor.service.in
vendored
@ -19,6 +19,9 @@ PrivateTmp = yes
|
||||
DeviceAllow = /dev/null rw
|
||||
DeviceAllow = /dev/urandom r
|
||||
InaccessibleDirectories = /home
|
||||
ReadOnlyDirectories = /
|
||||
ReadWriteDirectories = @LOCALSTATEDIR@/lib/tor
|
||||
ReadWriteDirectories = @LOCALSTATEDIR@/log/tor
|
||||
|
||||
[Install]
|
||||
WantedBy = multi-user.target
|
||||
|
Loading…
Reference in New Issue
Block a user