[systemd-devel] AF_INET socket ownership

Mantas Mikulėnas grawity at gmail.com
Thu Mar 5 09:11:32 UTC 2020 

On Wed, Mar 4, 2020 at 11:09 PM Matt Zagrabelny <mzagrabe at d.umn.edu> wrote:

> Hey Mantas,
>
> Thanks for the reply.
>
> On Wed, Mar 4, 2020 at 12:06 PM Mantas Mikulėnas <grawity at gmail.com>
> wrote:
>
>> On Wed, Mar 4, 2020 at 7:26 PM Matt Zagrabelny <mzagrabe at d.umn.edu>
>> wrote:
>>
>>> Greetings,
>>>
>>> Do folks use non-root users to own AF_INET sockets
>>>
>>
>> This bit *really* doesn't make sense.
>>
>
> Sure. That is why I asked if it was even a sensible question.
>
>
>> You're not changing the socket ownership in your examples at all --
>> you're changing the *service's* user account.
>>
>
> Agreed. I wasn't trying to imply that I was changing socket ownership.
> Agreed - I did mean to change the user that the service runs as.
>
>
>
>> Who owns the socket has nothing to do with who owns the service process.
>> (And the socket is still owned by root, as the whole point of .socket units
>> is that socket creation is handled by pid1.)
>>
>
> Okay. I wasn't sure if pid1 (systemd) could create the AF_INET socket and
> have it owned by another user. Sort of like the AF_UNIX socket ownership:
>
>        SocketUser=, SocketGroup=
>            Takes a UNIX user/group name. When specified, all AF_UNIX
> sockets and FIFO nodes in the file system are owned by the specified user
> and
>            group. If unset (the default), the nodes are owned by the root
> user/group (if run in system context) or the invoking user/group (if run in
>            user context). If only a user is specified but no group, then
> the group is derived from the user's default group.
>
>

AF_UNIX sockets only have ownership because they exist as filesystem
objects and also have file permissions – using standard `chmod` it is
possible to restrict which users or groups can connect to the socket.

But none of that exists for AF_INET sockets (UID-based permissions can't
really apply across the network), so inet sockets don't have any reason for
the owner to be changeable either. Aside from iptables '-m owner'
filtering, I don't think changing the socket's owner would affect anything
at all.

Either way – whether the systemd-created socket is AF_UNIX or AF_INET, its
ownership still has nothing to do with "root exposure". Even if you have an
AF_UNIX socket with SocketUser=root, it doesn't grant the service any more
privileges, and it doesn't make the service any more vulnerable.

-- 
Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20200305/84513a91/attachment.htm>

More information about the systemd-devel mailing list