[systemd-devel] inetd/chroot
Fisher, Charles J. (Top Echelon)
Charles.Fisher at arconic.com
Thu Mar 8 17:17:16 UTC 2018
I am running some inetd firewall components that came from the legacy FWTK (http://fwtk.org) under systemd socket activation on Oracle Linux 7.4.
The author of this code has found bugs in later life.
http://www.ranum.com/security/computer_security/editorials/codetools/index.html
When I was using OpenBSD, I had inetd spawn these as nobody. With systemd, I go further and specify a RootDirectory, and this causes what appears to be an interesting systemd bug.
These are the units in question:
# cat /etc/systemd/system/yum.socket
[Unit]
Description=yum proxy
[Socket]
ListenStream=5865
Accept=yes
[Install]
WantedBy=sockets.target
# cat /etc/systemd/system/yum at .service
[Unit]
Description=yum proxy
[Service]
RootDirectory=/home/fwjail
ExecStart=-/usr/local/etc/http-gw
StandardInput=socket
User=nobody
Group=nobody
Placing the toolkit component in /home/fwjail/usr/local/etc/http-gw, and attempting to start the socket fails:
# systemctl start yum.socket
Job for yum.socket failed. See "systemctl status yum.socket" and "journalctl -xe" for details.
However, if I place any file at the corresponding location *outside of the chroot* the service will start normally.
# touch /usr/local/etc/http-gw
# ll /usr/local/etc/http-gw
-rw-r--r--. 1 root root 0 Mar 8 11:10 /usr/local/etc/http-gw
# systemctl start yum.socket
It seems to me that systemd is (pre)checking for the program before starting the socket, and the check is not relative to the chroot/RootDirectory parameter. Is this behavior correct?
p.s. a) I'm not using the FWTK in a security capacity at all - this is for the isolation of a QA network containing a Unisys running OS2200/EXEC 8. I have hundreds of inetd rules that I've ported to busybox, launched by a systemd service. I am pumping a yum proxy back through here so I can get patches into the internal network.
b) I have confirmed that systemd is launching the correct program, even though it is checking for the existence of the wrong one:
# nc localhost 5865
GET /
HTTP/1.0 200 OK
Content-type: text/html
<HEAD>
<title>HTTP-GW Internal Documentation</title>
</HEAD>
<H1><IMG ALT="[ICON]" SRC="http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/logo.gif"> HTTP-GW Internal Documentation</H1>
The HTTP-GW is part of the <A HREF="http://dpwints.dpw.alcoa.com:5865/http://www.tis.com/">Trusted Information Systems Inc.</A>
firewall toolkit<br>and <A HREF="http://dpwints.dpw.alcoa.com:5865/http://www.tis.com/Home/NetworkSecurity/Gauntlet/Gauntlet.html">Gauntlet (TM) product</A>.
<hr>
<H2>No Server</H2>
You have accessed the HTTP-GW and the proxy has not been able to find any
server information in your request and there is no default server configured
to hand the request off to.
<p>
You may be able to get your firewall administrator to configure the firewall
to pass these requests off to a local HTTP server.
<hr>
<A HREF="http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/version.html">About HTTP-GW</A>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180308/ac6f1503/attachment.html>
More information about the systemd-devel
mailing list