In an earlier tutorial, I showed you how to obfuscate Tor bridges with obfs4proxy which required editing the Tor service files.
The official Torproject documentation stated, that you needed to edit the systemd service files and change a variable in each, to allow the usage of privileged ports. So, I followed the documentation and quickly noticed issues. My obfs4 bridge died every now and then.
But why was it dying?
You see, for security reasons I set up unattended-upgrades to install security updates. I made sure that it also installs Tor updates automatically.
This was the problem: Every time Tor updated, it would override my systemd service file edits and thus could not work on the priviledged ports.
A workaround for this, was to use chattr +i on the service files to make them immutable, so that updates (or anything, really) couldn’t override them.
But making the service files immutable introduced a new problem: Updates would fail, as it was unable to overwrite the service files with the package’s version.
While it would keep running that way, it would defeat the point of automatic updates. So a new solution had to come.
Systemd Overrides
So, the proper way to edit a systemd service file, is to create an override in a separate file. This override file gets loaded, and as the name suggests, overrides all values of the original file with the desired values of your override.
But how do I create the override?
You simply run:
systemctl edit SERVICENAMELet’s take a look at a practical example
We want to override a variable in [email protected] and [email protected], namely the variable NoNewPrivileges so that the value is no instead of yes.
In both those files, that variable is under the [Service] section. This is important to note!
So we’d run the following two commands:
systemctl edit [email protected]
systemctl edit [email protected]Which will create a temporary override file, and open an editor to edit said temporary file. In case you haven’t set a favorite editor, like for example nano, you can set it with the EDITOR environment variable (EDITOR=nano) to make sure it opens in your favorite editor.
Now, you’d simply write this into the editor:
[Service]
NoNewPrivileges=noThen you simply save and it will create the correct override files for you.
This override will make sure to set NoNewPrivileges to no in the [Service] section of the original file, no matter what the original file says, without actually touching the original file!
This way, your updates won’t fail due to an immutable attribute, and your edits will persist across updates!
That’s all there is to it!
I have updated the original post to reflect this improvement! Check it out:
Fascinating! I should’ve become a developer. I have the mind for it. I can see myself often going deeper than necessary, just to prove something better is possible with a few more lines of code.