[systemd-devel] Does socket activation block a TCP port for listening by other processes?

Florian Weimer fweimer at redhat.com
Tue Jul 21 07:39:05 PDT 2015


On 07/21/2015 01:52 PM, David Herrmann wrote:
> Hi
> 
> On Tue, Jul 21, 2015 at 1:37 PM, Florian Weimer <fweimer at redhat.com> wrote:
>> We have quite a zoo of services which listen on localhost, on a fixed
>> TCP port, for use by local clients.  The canonical example is PostgreSQL
>> on 5432/TCP, for the benefit of Java clients (which cannot use the UNIX
>> domain socket).  This has the obvious issue that if a local attacker
>> crashes the service, they can impersonate it by binding to the same port.
>>
>> Does socket activation reliably prevent such impersonation attacks?  Or
>> is there race, say during systemd configuration reloading or service
>> restarts, where systemd temporarily does not listen to that port?
> 
> This "race" *does* exist with socket activation. The sockets may be
> re-created if the unit transitions between states (like restart).

Thanks.  Would it make sense to fix this in some way, so that the socket
sticks around?

> However, this is only triggered by actions on the socket-unit, not the
> actually activated unit. A crash of the activated service will thus
> not trigger state-changes on the socket-unit.

Good to know.

> Furthermore, we do not treat "occupying a resource" as security
> mechanism. If an attacker has access to bind such a port, we do not
> place restrictions to prevent that. Instead, you should place LSM
> restrictions to prevent this.

I'm stuck with SELinux and the unconfined_t user, so I don't think I can
set an LSM ACL on the port.

> And please note, the actual activated
> unit usually does *not* have rights to bind the socket. This is done
> by pid1. So an attacker would require rights of PID1 for such an
> attack.

unconfined_t unfortunately has this right for port numbers larger than
1023, unfortunately.

-- 
Florian Weimer / Red Hat Product Security


More information about the systemd-devel mailing list