Granting usage rights of privileged ports for services running as non-root user

Purpose: Tor obfs4 bridge privileged rights for job running as a non-root user

Source with instructions this is based on can be found here
Ocurring error:

Editing “/etc/systemd/system/tor@.service.d/override.conf” canceled: temporary file is empty

Statement causing the error: sudo systemctl edit tor@.service tor@default.service

I solved the error, but could find anywhere what was causing the problem.
That is the reason I like to add it to this forum,
admitting my stupidity and to prevent others making the same mistake.
I hope it is not overdone.

It is a typical example of not readling closely, often referred to as: RTFM (Read The Fucking Manual)

Part of interest in the Page with instructions:

(Optional) Configure systemd to allow obfs4 binding on privileged ports.
What is more or less says is:

If you decide to use a fixed obfs4 port smaller than 1024 (for example 80 or 443), you will need to configure systemd and give
obfs4 CAP_NET_BIND_SERVICE capabilities to bind the port with a non-root user, enter the command:

sudo setcap cap_net_bind_service=+ep /usr/bin/obfs4proxy

To work around systemd hardening, you will also need to edit and change the configuration.

In the editor, enter the following text, then save and quit.
[Service]
NoNewPrivileges=no

In the second editor that appears, enter the same text, then save and quit.
[Service]
NoNewPrivileges=no

While editing, you will get something like the screen presented below. (I did not include the complete file here, only the upper part.)
I added line numbers in the post for reference, they do not exist in the real file.

1 ### Editing /etc/systemd/system/tor@default.service.d/override.conf
2 ### Anything between here and the comment below will become the new contents of the file
3
4
5 ### Lines below this comment will be discarded
6
7 ### /lib/systemd/system/tor@default.service
8 # [Unit]
9 # Description=Anonymizing overlay network for TCP
10 # After=network-online.target nss-lookup.target
11 # PartOf=tor.service
12 # ReloadPropagatedFrom=tor.service
13 # 
14 # [Service]
15 # Type=notify
16 # NotifyAccess=all

What I did, that what was causing the error, was uncommenting line 14 # [Service] and inserted a line below with:

NoNewPrivileges=no

When saving the file I’ll get the error as mentioned above.

When reading the upper 2 commented lines (line 1 and 2) more closely, I finally grasped the intention. (I know, stupid me)
Just put the lines you have to add beneath those 2 upper lines and save the file. That all you have to do.

After doing that it has to look like this (Again, I show only the upper part and left the line number out this time):

### Editing /etc/systemd/system/tor@default.service.d/override.conf
### Anything between here and the comment below will become the new contents of the file

[Service]
NoNewPrivileges=no

### Lines below this comment will be discarded

### /lib/systemd/system/tor@default.service
# [Unit]
# Description=Anonymizing overlay network for TCP
# After=network-online.target nss-lookup.target
# PartOf=tor.service
# ReloadPropagatedFrom=tor.service
# 
# [Service]
# Type=notify
# NotifyAccess=all

That solved my problem. Headbanging my head against a wall.

1 Like