On Tue, 21.07.15 13:37, Florian Weimer (fwei...@redhat.com) wrote: > We have quite a zoo of services which listen on localhost, on a fixed > TCP port, for use by local clients. The canonical example is PostgreSQL > on 5432/TCP, for the benefit of Java clients (which cannot use the UNIX > domain socket). This has the obvious issue that if a local attacker > crashes the service, they can impersonate it by binding to the same port. > > Does socket activation reliably prevent such impersonation attacks? Or > is there race, say during systemd configuration reloading or service > restarts, where systemd temporarily does not listen to that port?
There are things like SO_REUSEADDR that allow privileged apps to bind to addresses/ports that something else is already listening on. Ignoring that, yes, systemd will listen on the socket as long as the .socket unit is up, and that might be longer than the service unit, even if it crashes. If you restart the .socket unit, then there will be window where the socket is not connectable of course, and something else might bind it, even without SO_REUSEADDR. Restarting a .socket window is necessary if you change the settings of .socket unit in any way, maybe to chnage which port or ip address you want it to listen on, or to change a socket parameter. Reloading/reexecing systemd itself will keep all sockets it is listening on open, it will pass the open socket fds from the old to the new systemd process without closing them in between. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
