Discussion:
inetd/chroot
(too old to reply)
Fisher, Charles J. (Top Echelon)
2018-03-08 17:17:16 UTC
Permalink
Raw Message
I am running some inetd firewall components that came from the legacy FWTK (http://fwtk.org) under systemd socket activation on Oracle Linux 7.4.

The author of this code has found bugs in later life.

http://www.ranum.com/security/computer_security/editorials/codetools/index.html

When I was using OpenBSD, I had inetd spawn these as nobody. With systemd, I go further and specify a RootDirectory, and this causes what appears to be an interesting systemd bug.

These are the units in question:


# cat /etc/systemd/system/yum.socket
[Unit]
Description=yum proxy

[Socket]
ListenStream=5865
Accept=yes

[Install]
WantedBy=sockets.target


# cat /etc/systemd/system/***@.service
[Unit]
Description=yum proxy

[Service]
RootDirectory=/home/fwjail
ExecStart=-/usr/local/etc/http-gw
StandardInput=socket
User=nobody
Group=nobody


Placing the toolkit component in /home/fwjail/usr/local/etc/http-gw, and attempting to start the socket fails:

# systemctl start yum.socket
Job for yum.socket failed. See "systemctl status yum.socket" and "journalctl -xe" for details.

However, if I place any file at the corresponding location *outside of the chroot* the service will start normally.

# touch /usr/local/etc/http-gw
# ll /usr/local/etc/http-gw
-rw-r--r--. 1 root root 0 Mar 8 11:10 /usr/local/etc/http-gw
# systemctl start yum.socket

It seems to me that systemd is (pre)checking for the program before starting the socket, and the check is not relative to the chroot/RootDirectory parameter. Is this behavior correct?

p.s. a) I'm not using the FWTK in a security capacity at all - this is for the isolation of a QA network containing a Unisys running OS2200/EXEC 8. I have hundreds of inetd rules that I've ported to busybox, launched by a systemd service. I am pumping a yum proxy back through here so I can get patches into the internal network.

b) I have confirmed that systemd is launching the correct program, even though it is checking for the existence of the wrong one:



# nc localhost 5865
GET /
HTTP/1.0 200 OK
Content-type: text/html

<HEAD>
<title>HTTP-GW Internal Documentation</title>
</HEAD>
<H1><IMG ALT="[ICON]" SRC="Loading Image..."> HTTP-GW Internal Documentation</H1>
The HTTP-GW is part of the <A HREF="http://dpwints.dpw.alcoa.com:5865/http://www.tis.com/">Trusted Information Systems Inc.</A>
firewall toolkit<br>and <A HREF="http://dpwints.dpw.alcoa.com:5865/http://www.tis.com/Home/NetworkSecurity/Gauntlet/Gauntlet.html">Gauntlet (TM) product</A>.
<hr>
<H2>No Server</H2>
You have accessed the HTTP-GW and the proxy has not been able to find any
server information in your request and there is no default server configured
to hand the request off to.
<p>
You may be able to get your firewall administrator to configure the firewall
to pass these requests off to a local HTTP server.
<hr>
<A HREF="http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/version.html">About HTTP-GW</A>
Filipe Brandenburger
2018-03-09 06:25:21 UTC
Permalink
Raw Message
Hi,

On Thu, Mar 8, 2018 at 9:17 AM, Fisher, Charles J. (Top Echelon)
Post by Fisher, Charles J. (Top Echelon)
# cat /etc/systemd/system/yum.socket
[Unit]
Description=yum proxy
[Socket]
ListenStream=5865
Accept=yes
[Install]
WantedBy=sockets.target
[Unit]
Description=yum proxy
[Service]
RootDirectory=/home/fwjail
ExecStart=-/usr/local/etc/http-gw
StandardInput=socket
User=nobody
Group=nobody
Placing the toolkit component in /home/fwjail/usr/local/etc/http-gw, and
# systemctl start yum.socket
Job for yum.socket failed. See "systemctl status yum.socket" and
"journalctl -xe" for details.
However, if I place any file at the corresponding location *outside of the
chroot* the service will start normally.
Yes, I could reproduce this.

It happens while systemd tries to find the SELinux label of the binary.

I pushed a PR with a fix here:
https://github.com/systemd/systemd/pull/8405

Once it's merged, you might want to ask the maintainers of your distro
to backport it...

Cheers!
Filipe
Fisher, Charles J. (Top Echelon)
2018-03-09 16:04:15 UTC
Permalink
Raw Message
Post by Filipe Brandenburger
Hi,
Yes, I could reproduce this.
It happens while systemd tries to find the SELinux label of the binary.
https://github.com/systemd/systemd/pull/8405
Once it's merged, you might want to ask the maintainers of your distro
to backport it...
Cheers!
Filipe
Thank you most kindly for the fix! I am glad to have reported it.
Loading...