diff options
Diffstat (limited to 'tor.service')
| -rw-r--r-- | tor.service | 32 |
1 files changed, 27 insertions, 5 deletions
diff --git a/tor.service b/tor.service index 264a956240ea..1515b75efbd8 100644 --- a/tor.service +++ b/tor.service @@ -1,13 +1,35 @@ +# tor.service -- this systemd configuration file for Tor sets up a +# relatively conservative, hardened Tor service. You may need to +# edit it if you are making changes to your Tor configuration that it +# does not allow. Package maintainers: this should be a starting point +# for your tor.service; it is not the last point. + [Unit] -Description=Anonymizing Overlay Network -After=network.target +Description=Anonymizing overlay network for TCP +After=syslog.target network.target nss-lookup.target [Service] -User=tor -Type=simple +Type=notify +NotifyAccess=all +ExecStartPre=/usr/bin/tor -f /etc/tor/torrc --verify-config ExecStart=/usr/bin/tor -f /etc/tor/torrc +ExecReload=/bin/kill -HUP ${MAINPID} KillSignal=SIGINT -LimitNOFILE=8192 +TimeoutSec=60 +Restart=on-failure +WatchdogSec=1m +LimitNOFILE=32768 + +# Hardening +PrivateTmp=yes +PrivateDevices=yes +ProtectHome=yes +ProtectSystem=full +ReadOnlyDirectories=/ +ReadWriteDirectories=-/var/lib/tor +ReadWriteDirectories=-/var/log/tor +NoNewPrivileges=yes +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH CAP_KILL [Install] WantedBy=multi-user.target |