On Wed, Mar 4, 2020 at 11:09 PM Matt Zagrabelny <mzagr...@d.umn.edu> wrote:
> Hey Mantas, > > Thanks for the reply. > > On Wed, Mar 4, 2020 at 12:06 PM Mantas Mikulėnas <graw...@gmail.com> > wrote: > >> On Wed, Mar 4, 2020 at 7:26 PM Matt Zagrabelny <mzagr...@d.umn.edu> >> wrote: >> >>> Greetings, >>> >>> Do folks use non-root users to own AF_INET sockets >>> >> >> This bit *really* doesn't make sense. >> > > Sure. That is why I asked if it was even a sensible question. > > >> You're not changing the socket ownership in your examples at all -- >> you're changing the *service's* user account. >> > > Agreed. I wasn't trying to imply that I was changing socket ownership. > Agreed - I did mean to change the user that the service runs as. > > > >> Who owns the socket has nothing to do with who owns the service process. >> (And the socket is still owned by root, as the whole point of .socket units >> is that socket creation is handled by pid1.) >> > > Okay. I wasn't sure if pid1 (systemd) could create the AF_INET socket and > have it owned by another user. Sort of like the AF_UNIX socket ownership: > > SocketUser=, SocketGroup= > Takes a UNIX user/group name. When specified, all AF_UNIX > sockets and FIFO nodes in the file system are owned by the specified user > and > group. If unset (the default), the nodes are owned by the root > user/group (if run in system context) or the invoking user/group (if run in > user context). If only a user is specified but no group, then > the group is derived from the user's default group. > > AF_UNIX sockets only have ownership because they exist as filesystem objects and also have file permissions – using standard `chmod` it is possible to restrict which users or groups can connect to the socket. But none of that exists for AF_INET sockets (UID-based permissions can't really apply across the network), so inet sockets don't have any reason for the owner to be changeable either. Aside from iptables '-m owner' filtering, I don't think changing the socket's owner would affect anything at all. Either way – whether the systemd-created socket is AF_UNIX or AF_INET, its ownership still has nothing to do with "root exposure". Even if you have an AF_UNIX socket with SocketUser=root, it doesn't grant the service any more privileges, and it doesn't make the service any more vulnerable. -- Mantas Mikulėnas
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
