From fb868cd7794f15e21298e5bdea996fbf0dad17ca Mon Sep 17 00:00:00 2001 From: Ludovic Courtès Date: Tue, 19 Jul 2022 16:26:53 +0200 Subject: services: tor: Switch to 'least-authority-wrapper'. * gnu/services/networking.scm (tor-configuration->torrc): Remove "User" and "PidFile". (tor-shepherd-service): Use 'least-authority-wrapper' and 'make-forkexec-constructor' instead of 'make-forkexec-constructor/container'. --- gnu/services/networking.scm | 47 +++++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 19 deletions(-) (limited to 'gnu') diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index a9560db66b..b555c46040 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -918,9 +918,7 @@ (define (tor-configuration->torrc config) (lambda (port) (display "\ ### These lines were generated from your system configuration: -User tor DataDirectory /var/lib/tor -PidFile /var/run/tor/tor.pid Log notice syslog\n" port) (when (eq? 'unix '#$socks-socket-type) (display "\ @@ -960,7 +958,25 @@ (define (tor-shepherd-service config) "Return a running Tor." (match config (($ tor) - (let ((torrc (tor-configuration->torrc config))) + (let* ((torrc (tor-configuration->torrc config)) + (tor (least-authority-wrapper + (file-append tor "/bin/tor") + #:name "tor" + #:mappings (list (file-system-mapping + (source "/var/lib/tor") + (target source) + (writable? #t)) + (file-system-mapping + (source "/dev/log") ;for syslog + (target source)) + (file-system-mapping + (source "/var/run/tor") + (target source) + (writable? #t)) + (file-system-mapping + (source torrc) + (target source))) + #:namespaces (delq 'net %namespaces)))) (with-imported-modules (source-module-closure '((gnu build shepherd) (gnu system file-systems))) @@ -974,22 +990,15 @@ (define (tor-shepherd-service config) (modules '((gnu build shepherd) (gnu system file-systems))) - (start #~(make-forkexec-constructor/container - (list #$(file-append tor "/bin/tor") "-f" #$torrc) - - #:log-file "/var/log/tor.log" - #:mappings (list (file-system-mapping - (source "/var/lib/tor") - (target source) - (writable? #t)) - (file-system-mapping - (source "/dev/log") ;for syslog - (target source)) - (file-system-mapping - (source "/var/run/tor") - (target source) - (writable? #t))) - #:pid-file "/var/run/tor/tor.pid")) + ;; XXX: #:pid-file won't work because the wrapped 'tor' + ;; program would print its PID within the user namespace + ;; instead of its actual PID outside. There's no inetd or + ;; systemd socket activation support either (there's + ;; 'sd_notify' though), so we're stuck with that. + (start #~(make-forkexec-constructor + (list #$tor "-f" #$torrc) + #:user "tor" #:group "tor" + #:log-file "/var/log/tor.log")) (stop #~(make-kill-destructor)) (documentation "Run the Tor anonymous network overlay.")))))))) -- cgit v1.2.3