[systemd-devel] Design patterns for privilege separating systemd services?

[Pekka Paalanen]

On Thu, 18 Feb 2021 17:01:10 -0500
"Colin Walters" <walters at verbum.org> wrote:

> The thing I mainly like about socketpair() is that I know it's *only*
> accessible via the fd - it's
> https://en.wikipedia.org/wiki/Capability-based_security - except
> Linux has kind of broken that by creating /proc/N/fd anyways.  So
> relying on unlinking the socket seems fine, it's easy code to write
> and verify.

Hi,

I don't think the /proc breaks this aspect of security, because looking
at a process that uses sockets, those symlinks are broken. For Weston:

$ ls -lh /proc/31229/fd
total 0
lrwx------ 1 pq pq 64 Feb 19 09:49 0 -> /dev/pts/5
lrwx------ 1 pq pq 64 Feb 19 09:49 1 -> /dev/pts/5
lrwx------ 1 pq pq 64 Feb 19 09:49 10 -> 'socket:[49705213]'
lrwx------ 1 pq pq 64 Feb 19 09:49 11 -> /dev/dri/card0
lrwx------ 1 pq pq 64 Feb 19 09:49 12 -> /dev/dri/card0
lrwx------ 1 pq pq 64 Feb 19 09:49 13 -> '/memfd:weston-shared (deleted)'
lrwx------ 1 pq pq 64 Feb 19 09:49 14 -> 'socket:[49705213]'
lrwx------ 1 pq pq 64 Feb 19 09:49 15 -> /run/user/1000/wayland-1.lock
lrwx------ 1 pq pq 64 Feb 19 09:49 16 -> 'socket:[49705227]'
lrwx------ 1 pq pq 64 Feb 19 09:49 17 -> 'socket:[49705227]'
lrwx------ 1 pq pq 64 Feb 19 09:49 18 -> 'socket:[49705229]'
lrwx------ 1 pq pq 64 Feb 19 09:49 19 -> 'socket:[49705229]'
lrwx------ 1 pq pq 64 Feb 19 09:49 2 -> /dev/pts/5
lrwx------ 1 pq pq 64 Feb 19 09:49 20 -> 'socket:[49703721]'
lrwx------ 1 pq pq 64 Feb 19 09:49 21 -> 'socket:[49703722]'
lrwx------ 1 pq pq 64 Feb 19 09:49 22 -> 'socket:[49703721]'
lrwx------ 1 pq pq 64 Feb 19 09:49 23 -> 'socket:[49703722]'
lrwx------ 1 pq pq 64 Feb 19 09:49 24 -> 'anon_inode:[signalfd]'
lrwx------ 1 pq pq 64 Feb 19 09:49 25 -> 'socket:[49703723]'
lrwx------ 1 pq pq 64 Feb 19 09:49 26 -> 'socket:[49703723]'
lr-x------ 1 pq pq 64 Feb 19 09:49 27 -> anon_inode:sync_file
lr-x------ 1 pq pq 64 Feb 19 09:49 28 -> anon_inode:sync_file
l-wx------ 1 pq pq 64 Feb 19 09:49 3 -> /home/pq/.fluxbox/fluxbox.log
lrwx------ 1 pq pq 64 Feb 19 09:49 4 -> 'anon_inode:[eventpoll]'
lrwx------ 1 pq pq 64 Feb 19 09:49 5 -> 'anon_inode:[signalfd]'
lrwx------ 1 pq pq 64 Feb 19 09:49 6 -> 'anon_inode:[signalfd]'

$ cat /proc/31229/fd/16
cat: /proc/31229/fd/16: No such device or address

Or is there some trick one can use to actually open the fds listed
instead of opening what the link points to (which may not exist in the
file system, hence fails)?


Thanks,
pq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20210219/e47fc3ec/attachment-0001.sig>