Name

local-seqpacket-socket-listen — create a socket listening for incoming AF_LOCAL sequential packets and chain

Synopsis

local-seqpacket-socket-listen [--uid number] [--gid number] [--mode number] [--pass-credentials] [--pass-security] [--upstart-compatibility] [--systemd-compatibility] {path} {next-prog}

Description

local-seqpacket-socket-listen is a chain-loading utility that opens a local domain sequential packet socket bound to path, sets the socket to file descriptor 3+n (where n is the number of already-opened listening file descriptors), closing whatever that descriptor was, and then chain loads to next-prog with the execvp(3) function.

next-prog may contain its own command line options, which local-seqpacket-socket-listen will ignore.

After binding the socket to path, local-seqpacket-socket-listen changes the owner UID of the socket to that specified with the --uid command line argument (if supplied), changes the GID of the socket to that specified with the --gid command line argument (if supplied), and changes the permissions of the socket to those specified with the --mode command line argument (if supplied). The normal conventions for numbers apply, so for octal permissions use a leading zero. Symbolic permissions and account names are not supported.

The --pass-credentials option causes local-seqpacket-socket-listen to request the SO_PASSCRED socket option. The --pass-security option causes it to request the SO_PASSSEC socket option.

The --upstart-compatibility option causes local-seqpacket-socket-listen to set the UPSTART_FDS environment variable to 3, and the UPSTART_EVENTS environment variable to socket. This is for compatibility with daemons that expect to be run under upstart(1).

The --systemd-compatibility option is for compatibility with daemons that expect to be run under systemd(1). It causes local-seqpacket-socket-listen to set the LISTEN_FDS environment variable to the number of listening file descriptors, and the LISTEN_PID environment variable to its own process ID. If the command is started up with the LISTEN_FDS and the LISTEN_PID environment variables already appropriately set, the number of listening file descriptors is taken from them and increased by one, otherwise the number of file descriptors is 1. Thus a list of listening file descriptors can be built up with multiple commands, as long as they all use the --systemd-compatibility option.

For compatibility with daemons that expect to be run under inetd(1), inheriting the listening socket as their standard input, simply use fdmove 0 3 in next-prog. See fdmove(1).

Security

Because of an oversight in operating systems that prevents fchmod(2) and fchown(2) from working with bound local domain sockets, local-seqpacket-socket-listen calls chmod(2) and chown(2) on path. Because of an oversight in operating systems that prevents bind(2) from being able to re-use old local domain socket addresses, local-seqpacket-socket-listen attempts to delete, with unlink(2), any file named path before binding. An attacker who could change what file is denoted by path in between the calls to bind(2) and the call to chmod(2) and chown(2) could change the permissions and ownership of any file in the filesystem. An attacker who could change what file is denoted by path before the call to unlink(2) could unlink any file in the filesystem.

To avoid these security holes, ensure that none of the directories in the path to path (not just the final one) are writable by untrusted users or groups; and ensure that untrusted programs cannot supply path.

USAGE

local-seqpacket-socket-listen can be used as a simple daemon monitored by service-manager(1). local-seqpacket-socket-listen overlaps the functionality of inetd(1) and systemd(1) (in the systemd-recommended configuration of Accept=false sockets).

To change the process' UID and GID after opening the socket, simply chain through setuidgid(1).

Author

Jonathan de Boyne Pollard