Re: socket-based activation has unmaintainable security?

To: debian-devel@lists.debian.org
Cc: Philipp Kern <pkern@debian.org>
Subject: Re: socket-based activation has unmaintainable security?
From: Salvo Tomaselli <tiposchi@tiscali.it>
Date: Thu, 7 Feb 2013 14:49:02 +0100
Message-id: <[🔎] 201302071449.15274.tiposchi@tiscali.it>
In-reply-to: <[🔎] 20130207093959.GA8339@spike.0x539.de>
References: <20121114204711.GA9158@virgil.dodds.net> <[🔎] 201302071028.28586.russell@coker.com.au> <[🔎] 20130207093959.GA8339@spike.0x539.de>

On Thursday 07 February 2013 10.39.59 Philipp Kern wrote:
> On Thu, Feb 07, 2013 at 10:28:28AM +1100, Russell Coker wrote:
> > Such capabilities allow the process to bind to all low ports, which
> > usually isn't what you desire.  If you want to permit a daemon to bind
> > to exactly one reserved port and no others then it seems that the
> > options are systemd (if the daemon supports socket based activation) and
> > SE Linux.
> 
> (x)inetd, no?
Yes but the xinetd process keeps the socket open, then on new connection forks 
and gives the service the fd of the new connection, retaining the fd for the 
listener part.

Which means that on every connection it has to fork (and that's extremely 
slow).

-- 
Salvo Tomaselli

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Follow-Ups:
- Re: socket-based activation has unmaintainable security?
  - From: Edward Allcutt <edward@allcutt.me.uk>

References:
- Re: socket-based activation has unmaintainable security?
  - From: Russell Coker <russell@coker.com.au>
- Re: socket-based activation has unmaintainable security?
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Re: socket-based activation has unmaintainable security?
Next by Date: Re: socket-based activation has unmaintainable security?
Previous by thread: Re: socket-based activation has unmaintainable security?
Next by thread: Re: socket-based activation has unmaintainable security?
Index(es):
- Date
- Thread