Merge remote-tracking branch 'intrigeri/bug12939-systemd-no-new-privileges'

Conflicts: contrib/dist/tor.service.in
author: Nick Mathewson <nickm@torproject.org> 2014-09-03 13:29:43 -0400
committer: Nick Mathewson <nickm@torproject.org> 2014-09-03 13:29:43 -0400
commit: 54348201f7cce9c0c01e9d4835714a2fec55c67c (patch)
tree: e2b675eb0e6ef2069fe582dcb741dc2ca76f050a
parent: f58cdb3be70ef7b30875efe5c2894efc4e273953 (diff)
parent: a8dd279fa544145fb7ea66131e5f506889197ac6 (diff)
download: tor-54348201f7cce9c0c01e9d4835714a2fec55c67c.tar.gz
tor-54348201f7cce9c0c01e9d4835714a2fec55c67c.zip
2 files changed, 5 insertions, 0 deletions
diff --git a/changes/bug12939-systemd-no-new-privileges b/changes/bug12939-systemd-no-new-privileges
new file mode 100644
index 0000000000..d9103b7055
--- /dev/null
+++ b/changes/bug12939-systemd-no-new-privileges
@@ -0,0 +1,4 @@
+  o Distribution:
+    - systemd unit file: ensures that the process and all its children
+      can never gain new privileges.
+      Patch by intrigeri; resolves ticket 12939.
diff --git a/contrib/dist/tor.service.in b/contrib/dist/tor.service.in
index 8c70ccc6e3..20ceecf0ca 100644
--- a/contrib/dist/tor.service.in
+++ b/contrib/dist/tor.service.in
@@ -22,6 +22,7 @@ InaccessibleDirectories = /home
 ReadOnlyDirectories = /
 ReadWriteDirectories = @LOCALSTATEDIR@/lib/tor
 ReadWriteDirectories = @LOCALSTATEDIR@/log/tor
+NoNewPrivileges = yes
 
 [Install]
 WantedBy = multi-user.target
author	Nick Mathewson <nickm@torproject.org>	2014-09-03 13:29:43 -0400
committer	Nick Mathewson <nickm@torproject.org>	2014-09-03 13:29:43 -0400
commit	54348201f7cce9c0c01e9d4835714a2fec55c67c (patch)
tree	e2b675eb0e6ef2069fe582dcb741dc2ca76f050a
parent	f58cdb3be70ef7b30875efe5c2894efc4e273953 (diff)
parent	a8dd279fa544145fb7ea66131e5f506889197ac6 (diff)
download	tor-54348201f7cce9c0c01e9d4835714a2fec55c67c.tar.gz tor-54348201f7cce9c0c01e9d4835714a2fec55c67c.zip