I am running some inetd firewall components that came from the legacy FWTK (http://fwtk.org) under systemd socket activation on Oracle Linux 7.4. The author of this code has found bugs in later life. http://www.ranum.com/security/computer_security/editorials/codetools/index.html When I was using OpenBSD, I had inetd spawn these as nobody. With systemd, I go further and specify a RootDirectory, and this causes what appears to be an interesting systemd bug. These are the units in question: # cat /etc/systemd/system/yum.socket [Unit] Description=yum proxy [Socket] ListenStream=5865 Accept=yes [Install] WantedBy=sockets.target # cat /etc/systemd/system/yum at .service [Unit] Description=yum proxy [Service] RootDirectory=/home/fwjail ExecStart=-/usr/local/etc/http-gw StandardInput=socket User=nobody Group=nobody Placing the toolkit component in /home/fwjail/usr/local/etc/http-gw, and attempting to start the socket fails: # systemctl start yum.socket Job for yum.socket failed. See "systemctl status yum.socket" and "journalctl -xe" for details. However, if I place any file at the corresponding location *outside of the chroot* the service will start normally. # touch /usr/local/etc/http-gw # ll /usr/local/etc/http-gw -rw-r--r--. 1 root root 0 Mar 8 11:10 /usr/local/etc/http-gw # systemctl start yum.socket It seems to me that systemd is (pre)checking for the program before starting the socket, and the check is not relative to the chroot/RootDirectory parameter. Is this behavior correct? p.s. a) I'm not using the FWTK in a security capacity at all - this is for the isolation of a QA network containing a Unisys running OS2200/EXEC 8. I have hundreds of inetd rules that I've ported to busybox, launched by a systemd service. I am pumping a yum proxy back through here so I can get patches into the internal network. b) I have confirmed that systemd is launching the correct program, even though it is checking for the existence of the wrong one: # nc localhost 5865 GET / HTTP/1.0 200 OK Content-type: text/html <HEAD> <title>HTTP-GW Internal Documentation</title> </HEAD> <H1><IMG ALT="[ICON]" SRC="http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/logo.gif";> HTTP-GW Internal Documentation</H1> The HTTP-GW is part of the <A HREF="http://dpwints.dpw.alcoa.com:5865/http://www.tis.com/";>Trusted Information Systems Inc.</A> firewall toolkit<br>and <A HREF="http://dpwints.dpw.alcoa.com:5865/http://www.tis.com/Home/NetworkSecurity/Gauntlet/Gauntlet.html";>Gauntlet (TM) product</A>. <hr> <H2>No Server</H2> You have accessed the HTTP-GW and the proxy has not been able to find any server information in your request and there is no default server configured to hand the request off to. <p> You may be able to get your firewall administrator to configure the firewall to pass these requests off to a local HTTP server. <hr> <A HREF="http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/version.html";>About HTTP-GW</A> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180308/ac6f1503/attachment.html>
inetd/chroot
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: inetd/chroot
- From: Charles.Fisher@xxxxxxxxxxx (Fisher, Charles J. (Top Echelon))
- Date: Thu, 8 Mar 2018 17:17:16 +0000
![http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/logo.gif"](http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/logo.gif"){kind=link}
- Follow-Ups:
- inetd/chroot
- From: Filipe Brandenburger
- inetd/chroot
- Prev by Date: Create a target unit to start & stop a group of services
- Next by Date: RFC: enable suspend to idle
- Previous by thread: About supporting relative values (e.g. 50%) in configuration
- Next by thread: inetd/chroot
- Index(es):
 |