You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by GitBox <gi...@apache.org> on 2021/01/13 14:50:05 UTC

[GitHub] [tomcat] minfrin commented on pull request #382: Add support for unix domain sockets.

minfrin commented on pull request #382:
URL: https://github.com/apache/tomcat/pull/382#issuecomment-759497608


   > * The permission attribute, is it really useful ?
   
   In the absence of a permission attribute (and without the "everyone" default), the socket is equivalent to a TCP port that has been firewalled off, and thus pointless.
   
   Ignoring special cases like a personal development environment, or a system with no user separation, daemons (like tomcat) are secured with a user tomcat, group tomcat, and a typical umask of 0750 (or some variation). This means that the a) the tomcat user can write, b) the tomcat group can read (typically allowing read access to log files), and c) everyone else get nothing.
   
   In order for any unix domain socket to be of use to anyone, it must be possible to write to it. If you can't write to it, you cannot submit a request. A unix domain socket that only the tomcat user can write to pointless, as you've giving the client control over the tomcat process. A read only unix domain socket for a request/response protocol like HTTP has no practical effect - having written nothing you will read nothing.
   
   For this reason, every daemon out there that I have seen has a mechanism to make the socket writable to a group, and defaulting to being accessible to everyone:
   
   https://github.com/Cisco-Talos/clamav-devel/blob/31824a659dff37ae03e3419395bb68e659c2b165/etc/clamd.conf.sample#L104
   
   https://github.com/trusteddomainproject/OpenDMARC/blob/b0d6408d0859adb336428e3d0bd87749513a9e79/opendmarc/opendmarc.conf.sample#L357
   
   https://github.com/rspamd/rspamd/blob/9c2d72c6eba3fc05fd7459e388ea7c92eb87095f/conf/options.inc#L48
   
   In the absence of an explicit control over permissions, making the permissions world writable by default allows the admin to secure the socket by restricting permissions on the parent directory, such as the following example:
   
   ```
   [root@localhost clamav-milter]# ls -al
   total 0
   drwx--x---.  2 clamilt clamilt   60 Jan 11 13:03 .
   drwxr-xr-x. 39 root    root    1080 Jan 11 13:06 ..
   srw-rw-rw-.  1 clamilt clamilt    0 Jan 11 13:03 clamav-milter.socket
   ```
   
   In the above, the socket itself is world writable, but the parent directory is protected, and therefore the socket is protected.
   
   > * The socket is not deleted on shutdown (although the channel is closed)
   
   If the socket is not deleted on shutdown, the server cannot subsequently be started up. Deleting the socket on shutdown is the most common behaviour. Deleting the socket is startup is not done, as it means that multiple daemons can be started without error.
   
   I think I saw a commit go past fixing this, need to verify.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org