[systemd-devel] Does socket activation block a TCP port for listening by other processes?

[Lennart Poettering]

On Tue, 21.07.15 13:37, Florian Weimer (fweimer at redhat.com) wrote:

> We have quite a zoo of services which listen on localhost, on a fixed
> TCP port, for use by local clients.  The canonical example is PostgreSQL
> on 5432/TCP, for the benefit of Java clients (which cannot use the UNIX
> domain socket).  This has the obvious issue that if a local attacker
> crashes the service, they can impersonate it by binding to the same port.
> 
> Does socket activation reliably prevent such impersonation attacks?  Or
> is there race, say during systemd configuration reloading or service
> restarts, where systemd temporarily does not listen to that port?

There are things like SO_REUSEADDR that allow privileged apps to bind
to addresses/ports that something else is already listening on.

Ignoring that, yes, systemd will listen on the socket as long as the
.socket unit is up, and that might be longer than the service
unit, even if it crashes.

If you restart the .socket unit, then there will be window where the
socket is not connectable of course, and something else might bind it,
even without SO_REUSEADDR. Restarting a .socket window is necessary if
you change the settings of .socket unit in any way, maybe to chnage
which port or ip address you want it to listen on, or to change a
socket parameter.

Reloading/reexecing systemd itself will keep all sockets it is
listening on open, it will pass the open socket fds from the old to
the new systemd process without closing them in between.

Lennart

-- 
Lennart Poettering, Red Hat