One website I maintain is composed of multiple local applications, all proxied by the same nginx instance. Each application is running under its own user and exposing a unix socket writable by the web server group www-data
.
All application users are part of the www-data
group, so they can chown their sockets. How can i improve my setup, so that a vulnerability in one application can no longer be used to attempt further privilege escalation through direct connections to the other sockets?
My previous solution: Create a new group for every user and add the web server to all those. This solution is less preferable, as it complicates adding/removing applications & requires a hard restart of the web server to update groups.
Similar to how services can inherit privileged ports from systemd, they can receive access to local sockets they would otherwise have no permission to open. Systemd creates the unix socket and passes only the file description to the service - this way, the service does not need access permissions on the socket file.
Setup the socket using
/etc/systemd/system/example.socket
like this: (readman systemd.socket
)And use that socket in
/etc/systemd/system/example.service
like this: (readman systemd.unit
)Note that many programs, including uwsgi, do understand
LISTEN_FDS
in their environment, so hard-coding file descriptor 3 is often unnecessary.Apply and start the unit using:
If a service account then attempts to open the socket of another service, he will not succeed - the sockets are owned and exclusively readable by
www-data
(i.e. only the web server running under that user can access them).