Compare commits
2 Commits
ffd7b06cc0
...
6205d19bbb
| Author | SHA1 | Date | |
|---|---|---|---|
| 6205d19bbb | |||
| 83e8868495 |
74
content/posts/unix-socket-perms.md
Normal file
74
content/posts/unix-socket-perms.md
Normal file
@ -0,0 +1,74 @@
|
||||
---
|
||||
title: "Securing communication between webserver and app"
|
||||
date: 2024-04-19T17:31:06-04:00
|
||||
tags:
|
||||
- unix-sockets
|
||||
- tmpfiles.d
|
||||
- webserver
|
||||
categories:
|
||||
- sysadmin
|
||||
---
|
||||
|
||||
Webapps usually listen on a random tcp port and a web server forwards the
|
||||
requests to it. Webserver handles tls, static asset serving and sometimes
|
||||
authentication, bruteforce check etc., However any local user in the system can
|
||||
directly connect to the app's listen port bypassing the web server and thus
|
||||
loose the protections offered by the webserver.
|
||||
|
||||
### Unix sockets
|
||||
|
||||
Unix sockets are special files in filesystem that processes can use to
|
||||
communicate instead of tcp ports. Since they are files, filesytem ownership and
|
||||
permissions can be used to restrict which system-users can listen or connect to
|
||||
them
|
||||
|
||||
### Caddy ↔ Gitea
|
||||
|
||||
I use [Caddy][1] web server which reverse-proxies to [Gitea][2] server. For
|
||||
caddy to connect to gitea and also disallow anyother user to connect, we want a
|
||||
socket like below
|
||||
|
||||
```bash
|
||||
srw-rw---- 1 gitea caddy 0 Apr 17 21:24 /run/gitea.sock
|
||||
```
|
||||
|
||||
Unfortunately neither `user caddy` nor `user gitea`, can create such socket.
|
||||
Regular users can only create files owned by themselves. Only root can
|
||||
create/change ownership of files and folders.
|
||||
|
||||
### `tmpfiles.d` to rescue
|
||||
|
||||
[tmpfiles.d][3] provides a way to do it. Since it is run as root, it can create
|
||||
files and directories as any user.
|
||||
|
||||
```bash
|
||||
❯ cat /etc/tmpfiles.d/caddy-run-unix.conf
|
||||
d /run/gitea-caddy 0750 gitea caddy -
|
||||
```
|
||||
Above config creates below directory every time on startup.
|
||||
|
||||
```bash
|
||||
❯ sudo ls -ld /run/gitea-caddy/
|
||||
drwxr-x--- 2 gitea caddy 60 Apr 17 21:24 /run/gitea-caddy/
|
||||
```
|
||||
|
||||
With those permissions and ownership, only `user gitea` can create the socket
|
||||
in `/run/gitea-caddy` and only `user caddy` can `cd` into that directory.
|
||||
|
||||
```bash
|
||||
❯ sudo ls -l /run/gitea-caddy/web.sock
|
||||
srw-rw-rw- 1 gitea gitea 0 Apr 17 21:24 /run/gitea-caddy/web.sock
|
||||
```
|
||||
|
||||
The socket file permission can be more liberal as no other user can read into
|
||||
the `/run/gitea-caddy` directory
|
||||
|
||||
### Bonus!
|
||||
|
||||
If your app does not connect to any external services, it can even be run in a
|
||||
[private network][4].
|
||||
|
||||
[1]: https://caddyserver.com
|
||||
[2]: https://gitea.com
|
||||
[3]: https://man.archlinux.org/man/tmpfiles.d.5
|
||||
[4]: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=
|
||||
2
public
2
public
@ -1 +1 @@
|
||||
Subproject commit 2810706e99a7997cc2f9c1366d2c97b519187940
|
||||
Subproject commit 315118b85c7de204251c9038192ab1f4917ffc96
|
||||
Loading…
Reference in New Issue
Block a user