[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: socket-based activation has unmaintainable security?

On Thursday 07 February 2013 10.39.59 Philipp Kern wrote:
> On Thu, Feb 07, 2013 at 10:28:28AM +1100, Russell Coker wrote:
> > Such capabilities allow the process to bind to all low ports, which
> > usually isn't what you desire.  If you want to permit a daemon to bind
> > to exactly one reserved port and no others then it seems that the
> > options are systemd (if the daemon supports socket based activation) and
> > SE Linux.
> (x)inetd, no?
Yes but the xinetd process keeps the socket open, then on new connection forks 
and gives the service the fd of the new connection, retaining the fd for the 
listener part.

Which means that on every connection it has to fork (and that's extremely 

Salvo Tomaselli

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: