1

One website I maintain is composed of multiple local applications, all proxied by the same nginx instance. Each application is running under its own user and exposing a unix socket writable by the web server group www-data.

All application users are part of the www-data group, so they can chown their sockets. How can i improve my setup, so that a vulnerability in one application can no longer be used to attempt further privilege escalation through direct connections to the other sockets?

My previous solution: Create a new group for every user and add the web server to all those. This solution is less preferable, as it complicates adding/removing applications & requires a hard restart of the web server to update groups.

anx
  • 6,875
  • 4
  • 22
  • 45

1 Answers1

1

Similar to how services can inherit privileged ports from systemd, they can receive access to local sockets they would otherwise have no permission to open. Systemd creates the unix socket and passes only the file description to the service - this way, the service does not need access permissions on the socket file.

Setup the socket using /etc/systemd/system/example.socket like this: (read man systemd.socket)

[Unit]
PartOf=example.service
[Socket]
SocketUser=www-data
SocketMode=0600
ListenStream=%t/example.sock

And use that socket in /etc/systemd/system/example.service like this: (read man systemd.unit)

[Unit]
Requires=example.socket
After=example.socket
[Service]
User=example
WorkingDirectory=~
ExecStart=/usr/bin/uwsgi --uwsgi-socket=fd://3 --opt2 --opt3 ..

Note that many programs, including uwsgi, do understand LISTEN_FDS in their environment, so hard-coding file descriptor 3 is often unnecessary.

Apply and start the unit using:

systemctl dameon-reload
systemctl start example.service

If a service account then attempts to open the socket of another service, he will not succeed - the sockets are owned and exclusively readable by www-data (i.e. only the web server running under that user can access them).

anx
  • 6,875
  • 4
  • 22
  • 45