balki/blog
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases Wiki Activity

Add new post unix-sockets-perms

Browse Source
This commit is contained in:
Balakrishnan Balasubramanian
2024-04-19 17:40:49 -04:00
parent 83e8868495
commit 6205d19bbb
2 changed files with 75 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
content/posts/unix-socket-perms.md Normal file
View File

@@ -0,0 +1,74 @@
---
title: "Securing communication between webserver and app"
date: 2024-04-19T17:31:06-04:00
tags:
- unix-sockets
- tmpfiles.d
- webserver
categories:
- sysadmin
---
Webapps usually listen on a random tcp port and a web server forwards the
requests to it. Webserver handles tls, static asset serving and sometimes
authentication, bruteforce check etc., However any local user in the system can
directly connect to the app's listen port bypassing the web server and thus
loose the protections offered by the webserver.
### Unix sockets
Unix sockets are special files in filesystem that processes can use to
communicate instead of tcp ports. Since they are files, filesytem ownership and
permissions can be used to restrict which system-users can listen or connect to
them
### Caddy ↔ Gitea
I use [Caddy][1] web server which reverse-proxies to [Gitea][2] server. For
caddy to connect to gitea and also disallow anyother user to connect, we want a
socket like below
```bash
srw-rw---- 1 gitea caddy 0 Apr 17 21:24 /run/gitea.sock
```
Unfortunately neither `user caddy` nor `user gitea`, can create such socket.
Regular users can only create files owned by themselves. Only root can
create/change ownership of files and folders.
### `tmpfiles.d` to rescue
[tmpfiles.d][3] provides a way to do it. Since it is run as root, it can create
files and directories as any user.
```bash
cat /etc/tmpfiles.d/caddy-run-unix.conf
d /run/gitea-caddy 0750 gitea caddy -
```
Above config creates below directory every time on startup.
```bash
sudo ls -ld /run/gitea-caddy/
drwxr-x--- 2 gitea caddy 60 Apr 17 21:24 /run/gitea-caddy/
```
With those permissions and ownership, only `user gitea` can create the socket
in `/run/gitea-caddy` and only `user caddy` can `cd` into that directory.
```bash
sudo ls -l /run/gitea-caddy/web.sock
srw-rw-rw- 1 gitea gitea 0 Apr 17 21:24 /run/gitea-caddy/web.sock
```
The socket file permission can be more liberal as no other user can read into
the `/run/gitea-caddy` directory
### Bonus!
If your app does not connect to any external services, it can even be run in a
[private network][4].
[1]: https://caddyserver.com
[2]: https://gitea.com
[3]: https://man.archlinux.org/man/tmpfiles.d.5
[4]: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=

2
public

Submodule public updated: a67beefc68...315118b85c