Project

General

Profile

Bug #2906

[tor] Does not reload

sdfoijsaodif - over 3 years ago - . Updated over 3 years ago.

Status:
confirmed
Priority:
bug
Assignee:
-
% Done:

0%


Description

Tor does not reload because some permission issues.

Kill says permission denied.

History

#1

Updated by freemor over 3 years ago

More info needed. It restarts fine here.

Are you restart/reloading it with the proper service controls?
i.e systemctl restart tor
or
rc-service tor restart

Are you using sudo or is you user a member of the appropriate group?

#2

Updated by sdfoijsaodif over 3 years ago

After doing `sudo systemctl reload tor`, it doesn't reload. As you said, it restarts fine.

On reload, tor process is expected to be killed with HUP signal, but for some reason `kill` program does not have permission to do that.

#3

Updated by freemor over 3 years ago

Tor restarts and reloads correctly here

what does:

cat /usr/lib/systemd/system/tor.service

show?

if you start journalctl -f -u tor in a separate terminal what does it show when you: systemctl relaod tor or sudo systemctl reload tor

thanks

#4

Updated by sdfoijsaodif over 3 years ago

# tor.service -- this systemd configuration file for Tor sets up a
# relatively conservative, hardened Tor service.  You may need to
# edit it if you are making changes to your Tor configuration that it
# does not allow.  Package maintainers: this should be a starting point
# for your tor.service; it is not the last point.

[Unit]
Description=Anonymizing overlay network for TCP
After=syslog.target network.target nss-lookup.target

[Service]
Type=notify
NotifyAccess=all
ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config
ExecStart=/usr/bin/tor -f /etc/tor/torrc
ExecReload=/bin/kill -HUP ${MAINPID}
KillSignal=SIGINT
TimeoutSec=60
Restart=on-failure
WatchdogSec=1m
LimitNOFILE=32768

# Hardening
PrivateTmp=yes
PrivateDevices=yes
ProtectHome=yes
ProtectSystem=full
ReadOnlyDirectories=/
ReadWriteDirectories=-/var/lib/tor
ReadWriteDirectories=-/var/log/tor
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH

[Install]
WantedBy=multi-user.target

And reload fails with "Operation not permitted" on kill.

#5

Updated by freemor over 3 years ago

And that is most likely your issue. Your tor.service is not the default by a long shot.

the one that comes with tor in the REPO reads:


[Unit]
Description=Anonymizing Overlay Network
After=network.target

[Service]
User=tor
Type=simple
ExecStart=/usr/bin/tor -f /etc/tor/torrc
ExecReload=/usr/bin/kill -HUP $MAINPID
KillSignal=SIGINT
LimitNOFILE=8192
PrivateDevices=yes

[Install]
WantedBy=multi-user.target

As you can see you have a lot of other stuff in there. it is most likely the "Hardening" stuff that is getting in the way.

Do you know how you ended up with shuch a non standard .service file?

what tor package are you using?

#6

Updated by freemor over 3 years ago

Sorry I was a tor version behind. seems that is the new version.

I had some issues after the upgrade with my torrc not validating and thus tor not starting.

Did you merge the /etc/tor/torrc.pacnew with your /etc/tor/torrc?

if the .pacnew file doesn't exist that just means that you never modified the torrc file. and it should already be the new one.

#7

Updated by freemor over 3 years ago

  • Status changed from unconfirmed to confirmed

I am now seeing the same issue as you. With reload not working.

Things to do now (for devs):

- Check if there is an existing issue upstream.
- Roll and arch VM and see if the issue exists there.
if yes push issue upstream
if no get Megver83 to have a look to see if it a kernel/systemd diff here

Also available in: Atom PDF