I am running some inetd firewall components that came from the legacy FWTK (http://fwtk.org) under systemd socket activation on Oracle Linux 7.4.
The author of this code has found bugs in later life. http://www.ranum.com/security/computer_security/editorials/codetools/index.html When I was using OpenBSD, I had inetd spawn these as nobody. With systemd, I go further and specify a RootDirectory, and this causes what appears to be an interesting systemd bug. These are the units in question: # cat /etc/systemd/system/yum.socket [Unit] Description=yum proxy [Socket] ListenStream=5865 Accept=yes [Install] WantedBy=sockets.target # cat /etc/systemd/system/[email protected] [Unit] Description=yum proxy [Service] RootDirectory=/home/fwjail ExecStart=-/usr/local/etc/http-gw StandardInput=socket User=nobody Group=nobody Placing the toolkit component in /home/fwjail/usr/local/etc/http-gw, and attempting to start the socket fails: # systemctl start yum.socket Job for yum.socket failed. See "systemctl status yum.socket" and "journalctl -xe" for details. However, if I place any file at the corresponding location *outside of the chroot* the service will start normally. # touch /usr/local/etc/http-gw # ll /usr/local/etc/http-gw -rw-r--r--. 1 root root 0 Mar 8 11:10 /usr/local/etc/http-gw # systemctl start yum.socket It seems to me that systemd is (pre)checking for the program before starting the socket, and the check is not relative to the chroot/RootDirectory parameter. Is this behavior correct? p.s. a) I'm not using the FWTK in a security capacity at all - this is for the isolation of a QA network containing a Unisys running OS2200/EXEC 8. I have hundreds of inetd rules that I've ported to busybox, launched by a systemd service. I am pumping a yum proxy back through here so I can get patches into the internal network. b) I have confirmed that systemd is launching the correct program, even though it is checking for the existence of the wrong one: # nc localhost 5865 GET / HTTP/1.0 200 OK Content-type: text/html <HEAD> <title>HTTP-GW Internal Documentation</title> </HEAD> <H1><IMG ALT="[ICON]" SRC="http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/logo.gif";> HTTP-GW Internal Documentation</H1> The HTTP-GW is part of the <A HREF="http://dpwints.dpw.alcoa.com:5865/http://www.tis.com/";>Trusted Information Systems Inc.</A> firewall toolkit<br>and <A HREF="http://dpwints.dpw.alcoa.com:5865/http://www.tis.com/Home/NetworkSecurity/Gauntlet/Gauntlet.html";>Gauntlet (TM) product</A>. <hr> <H2>No Server</H2> You have accessed the HTTP-GW and the proxy has not been able to find any server information in your request and there is no default server configured to hand the request off to. <p> You may be able to get your firewall administrator to configure the firewall to pass these requests off to a local HTTP server. <hr> <A HREF="http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/version.html";>About HTTP-GW</A>
_______________________________________________ systemd-devel mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/systemd-devel
![http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/logo.gif"](http://dpwints.dpw.alcoa.com:5865/http://-internal-/-http-gw-internal-/logo.gif"){kind=link}