On Friday, August 4, 2023 8:42:18 AM EDT Chris Adams wrote: > Once upon a time, Richard W.M. Jones <rjones@xxxxxxxxxx> said: > > > The DoS attack is described here: > > > > https://bugs.archlinux.org/task/62248 > > > > ... and it sounds like a bug in systemd. Surely this same attack > > applies to any socket-activated service so should be fixed in systemd? > > I don't recall inetd having the same problem. > > (x)inetd would shut a port under heavy net-connection load for a short > period, but systemd seems to shut it permanently under those conditions. > For systemd to replace inetd-type socket activation, it needs to have a > timeout on the disable. Yes, as one of the authors of xinetd, I pointed this out long ago. But they said they were not trying to replace xinetd and if people want a more full featured experience, use xinetd. > This probably isn't a high priority though, because very few things > support inetd-type modes anymore. This would be a problem for MLS systems. The way the role/level/category is negotiated between systems is with VPN keys which maps to SE Linux policy. Once the key is negotiated, it connects via the socket API where the sshd instances is started with the right SE Linux labels. This is a small but important use case. I suppose the fallback would be to go back to using xinetd if this is not fixed in systemd. -Steve _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
